Testimony and Statement for the Record of

Dr. Jason Catlett

President and CEO, Junkbusters Corp.

P.O. Box 7034, Green Brook NJ 08812; (908) 753 7861

Visiting Fellow, Kennedy School of Government,

Harvard University (2001-2002)
on

The Whois Database: Privacy and Intellectual Property Issues

before the

Subcommittee on Courts, the Internet, and Intellectual Property

of the Committee on the Judiciary

House of Representatives

July 12, 2001

Hyperlinked version available at: http://www.junkbusters.com/testimony.html#whois

My name is Jason Catlett, and I am President and CEO of Junkbusters Corp.

I'm grateful for this opportunity to speak here today.

Junkbusters is a for-profit company whose mission is to free people

from unwanted commercial solicitations through media such as email,

physical mail, telephone, and faxes. (The Whois database is a major

source for contact information for all these media.) Since our web

site launched in 1996, millions of people have turned to us as a free

source for information, services and software for stopping junk messages,

particularly email. I have assisted many government organizations and

legislators on email and other privacy issues since the Federal Trade

Commission asked me to explain the mechanics of spamming at their public

workshop on the topic in 1997.

I commend the committee for holding this much-needed oversight hearing

on the Privacy and Intellectual Property Issues of the Whois Database.

I have little to contribute on the topic of intellectual property,

other than to say that it is in a sense somewhat irrelevant to the

privacy interests of an individual whether an organization owns a item of

personal information about a "data subject" (as privacy lawyers call the

individual concerned), versus whether the organization buys, licenses,

barters, scavenges, or steals the data from another party. These are

essentially commercial considerations. The key privacy questions are

whether the data subject consented to the collection, disclosure and

use of the data, whether the organization handles the data fairly and

lawfully, and what rights of redress the data subject has if it does not.

Privacy

Definitions of privacy generally fall into one of two types, both of which

are acutely relevant here. The first is "seclusion from intrusion,"

or the "right to be let alone," to use the phrase made famous in the

1890 law journal article by Brandeis. The second is "informational

self-determination," the right to control the collection, disclosure

and use of information about oneself, formulated by Alan Westin in

his 1967 book "Privacy and Freedom" and now the basis of most modern

privacy statutes worldwide. To take obvious examples in context of the

Whois database, the first definition addresses whether an individual

registering a domain receives spam or unwanted solicitations via other

media, and the second includes whether information is gathered or sold

by other parties about the registrant without her knowledge and consent.

Violations of these two types of privacy tend to be correlated, since

the gathering of contact information is a means towards the delivery

of an unwanted solicitation, and because the targeting of messages

based on further information makes the activity more economically

attractive. As an illustration, the San Francisco Chronicle reported

in 1997 that Barnes and Noble, an online bookseller, had established

software systems to search people's home pages for references to certain

authors, and emailed them solicitations to purchase new titles in the

genres mentioned. Independent of the fact that the company should have

known better than to try spamming (and soon discontinued the practice),

many people were disturbed by the idea that a profile of their reading

tastes was being assembled in this robotic manner by an unknown party,

let alone being confronted with personalized recommendations based

on them. Even fans of book catalogs might be unsettled by a physical

letter beginning "Dear Murder Enthusiast" or detailing some interest that

they intended to share only with a few friends. Given that the compilers

of marketing lists have for years used Whois registration information

as a source of personal information (in some cases scavenged free,

in others bought from registrars), concerns over the data privacy are

well justified. Most people avoid putting their home address on their

web sites, and they should be able to register a domain name without

effectively giving up this precaution.

The public policy objective of privacy law is to preserve the individual's

right to privacy, while still permitting societal participation.

This is somewhat analogous to intellectual property law, which seeks

to encourage the publication of products of the intellect by providing

certain rights to inventors and authors to control the subsequent

distribution and use of their work. The current situation with the

Whois database is unsatisfactory because individuals are effectively

required to sacrifice some of their privacy in order to participate in

a fundamental Internet activity. Courts have remarked that the Internet

has provided an unprecedented opportunity for free speech; participation

should not be dampened by avoidable erosions of privacy.

The current (1999) ICANN Registrar Accreditation Agreement does contain

some provisions relating to privacy, but they are inadequate in both

theory and practice. [See http://www.icann.org/nsi/icann-raa-04nov99.htm

at J.7.a and F.6.f] The agreement anticipates the possibility of a

registrant licensing a domain to another party whose contact details

are not disclosed, but this is not a satisfactory way of preventing

disclosure for the average user. The agreement also requires the

registrar to impose an undertaking not to use the email addresses from the

Whois database for sending Unsolicited Commercial Email (UCE, or spam),

but in practice this is ineffective. Spam is discussed further below,

and my statement here concludes with a set of specific recommendations

for ICANN. Mine is not the only privacy organization to seek such

reforms; see for example the Electronic Privacy Information Center's

letter of February 16 to Congressional Privacy Caucus on this topic.

[ http://www.epic.org/privacy/internet/ICANN_privacy.html ]

The requirement of the publication of registration information can

be seen as egregious and anomalous when compared to analogous media.

Telephone subscribers are universally given the option of a non-published

(unlisted) number, regardless of which local phone company they use.

The US Postal Service discloses information about the identity of a post

office box holder only if the holder solicits funds from the public.

Various statutory privacy rights have been established to protect

the nexus of contact in different media, such as the prohibition in

California against telemarketing calls to non-published numbers, so-called

"asterisk laws" in several states mandating an optional designation

in directories for published numbers that must not be telemarketed,

the federal prohibition against junk faxes, and the opportunity to issue

prohibitory orders against senders of unwanted solicitations via US mail.

This procedure was upheld by the Supreme Court in 1971, including its

restriction on the subsequent sale of the address in marketing lists.

My first recommendation below is an addition to the Whois database to

support this kind of protection for email addresses.

Given the lack of such protections in the online world, plus the ease

with which contact information may be inexpensively gathered, it is hardly

surprising that surveys routinely find privacy is the number one concern

of Internet users and a major reason for non-participation by the offline

half of the population. The basic operation of establishing a homestead

in cyberspace should not stand as an example of the lack of respect for

privacy in the architecture of the Internet, particularly when a few

appropriate curtains could be added with comparatively little effort.

To be fair to the original architects, many of their procedures were

devised at a time when the individuals involved were few and often known

personally to one another, so it is understandable that privacy does

not appear to have been a top design priority. Changes are now overdue.

Accountability

Privacy is a fundamental human right, but it is not an absolute right: it

should not provide impervious and permanent cover for criminal activity,

for example. Appropriate mechanisms should be in place for personally

identifying disclosures in the case of law enforcement investigations,

and for civil litigation such as libel, trademark and copyright

disputes. But these mechanisms should restrict disclosures to what is

necessary and fair; checks and balances should protect against misuse.

Making contact information available to everyone is as much an overkill

as if a DMV were to require people to display their drivers licenses on

their lapels when standing on the sidewalk.

Domain names do somewhat differ from other media in that they enable

the registrant to establish an identity that can be used in the role

of a publisher as well as a subscriber to a multi-way communications

channel (though fax broadcasting has a similar quality). But the actual

publication is typically performed by an Internet Service Provider,

or at least via an ISP, and ISPs do not generally require the public

disclosure of contact information for the source. Why should registrars

be any different? ISPs are accustomed to tearing down web pages or

providing subscriber information when required to do so by a court

order. The same procedures can apply to domain name registrations if

this additional step is needed.

Spamming

The problem of spamming is one of the most important and instructive

topics for analysis here. Spamming is not a criminal offense in most

states, but it is socially damaging, undermines consumer confidence in

the Internet, imposes on consumers and businesses billions of dollars

in wasted costs annually, and violates the terms of service of ISPs.

As I have said in testimony before the Senate, I believe spamming should

be prohibited by federal law, and perhaps it will be. But even if it is,

people should still be able to try to avoid spam by reducing the exposure

of their email addresses, and those who are harassed by spammers should

have the means to obtain redress, which in practical terms translates

into identifying the spammer.

The most obvious damage to privacy from the Whois database is due to

the so-called "harvesting" of email contact addresses by spammers.

(I prefer the term "scavenging" because the crop being reaped was not

planted by the scavenger.) As mentioned above, the ICANN agreement with

registrars requires the registrar to impose an undertaking not to use

the data obtained to facilitate spamming. Unfortunately spammers can

blithely ignore the "you agree not to" message attached to the responses

to their requests, because their access is essentially anonymous. Limits

are often placed on the rate at which domain name queries are answered

from any given IP address, but this merely reduces the speed with

which the addresses are obtained, and is ineffective in the long term.

It cannot prevent scavenging any more than a supermarket could prevent

shoplifting by limiting the numbers of bags shoppers are allowed to

carry out of the store.

The observation has often been made that Whois contact information can

help track down spammers, and I certainly agree that this is sometimes

the case. Unfortunately it is rarely much help against career spammers,

who have registered large numbers of domains with contact addresses

such as the Martian embassy and phone numbers such as 202-555-1212.

Beyond these patently false addresses lie more plausible but incorrect

entries. Experienced spam hunters tend not to rely on such self-reported,

unauthenticated and too-often inaccurate information; rather they examine

the header information on the email and use software utilities such as

"traceroute" to establish the ISP that originally carried the spam,

and then ask the ISP to terminate the account. The casual spammer will

usually desist after a warning from his ISP. Furthermore, almost all

spammers give other generally more reliable clues to their identity in

the content of their emails, which are seldom abstract messages such

as "Sin no more." They often ask the addressee to visit a particular

web site, which can be tracked via traceroute and the hosting ISP,

or in the case of a site accepting credit card payment, through the

banking system. Many spams ask directly for checks to be sent to a

post office box specified in the email, which can also be followed.

In practice, self-reported contact information is like a weak door

lock that keeps out the honest unintentional intruder while presenting

no serious challenge to the dedicated burglar. I do not believe the

benefits of tracking amateur spammers via the self-reported contact

details from the Whois database outweigh the damage to privacy caused

by the public availability of the information.

Reducing personally identifiable information

Various other benefits of contact details being public have been cited,

but none of them persuades me that administrative contact must be made

public. Technical contact information is certainly useful for maintenance

tasks, but most technical contacts are business-title roles at ISPs,

not individual registrants. The fact that consumers find it useful to

authenticate a business using the administrative contact information

from the Whois database is no reason to require it of all registrants,

any more than residential phone subscribers should be forced to have

yellow pages entries. Businesses that consider it beneficial can elect

to do so, as proposed in my second recommendation below.

ICANN states in the preamble to its June 2001 survey that

more than 70% of its registrations are by organizations.

[See http://www.icann.org/dnso/whois-survey-en-10jun01.htm under

Background] The remaining twenty-something percent still adds up to

a very large number of individuals whose privacy is being compromised

by their registrations. A policy question arises whether organizations

should be treated differently to individuals. Only natural persons have

privacy rights; entities such as corporations do not, though they may

have an interest in confidentiality: considerable public speculation has

arisen from domain names registered by large companies such as Amazon

and Microsoft. In the case of sole proprietors, the entity may appear

to be an institution when it is in many ways more like an individual.

For these reasons it seems to me appropriate to give institutional

registrations exactly the same control over admin and billing contact

information as individuals have for personal registrations.

I further believe that it may be desirable and feasible for domain names

to be registered with a pseudonym (such as a registrar-issued customer

number), so that no personally identifiable information is provided,

not even to the registrar to whom payment was made (presumably with

a money order). Anonymity and pseudonymity are the most reliable

ways to protect privacy: there is no possibility of personal data

being disclosed or used inappropriately, because it does not exist.

(The difference between anonymous and pseudonymous speech is that while

neither is identified as originating from a specific individual, the

pseudonym allows continuity of interaction and attribution.)

If participation in the digital network without identification raises

concerns in your minds about accountability, consider how routinely

this occurs on the telephone network: with a payphone, using a popular

privacy-enhancing technology called coins. Doubtless some crimes are

facilitated by this opportunity, but nobody would consider this as a

justification for retrofitting the nation's payphones with credit card

readers or for abolishing the quarter. In some countries, including

Italy, it is even possible to subscribe to a prepaid mobile telephone

service without identifying oneself to either the carrier or the

government. If the phone appears to be involved in criminal activity,

law enforcement can have the service suspended or obtain the identity

of subscriber by examining the numbers called or by wiretapping calls.

The situation for pseudonymous domain names would be analogous.

Notice that the registration itself is unlikely to be considered criminal:

even if the text of the domain name were arguably libelous or blasphemous,

is there any prospect of real harm merely from its presence in the

Whois database? Registrars have already addressed the question of

obscene domain names, and can decline to register them if they consider

them offensive. Even in the case of trademarks, it is far from clear

clear that merely registering FamousNameSucks.org without publishing

a corresponding web site would constitute infringement. Rather, it

is activities other than registration that constitute the wrongdoing,

and those activities entail their own means of tracing the malefactor:

the Whois database cannot reasonably be expected to serve that purpose,

any more than the white pages should be expected to deter harassing

phone calls.

Where it is found appropriate to revoke a domain name, it is obviously

just as easy to terminate domain name service for a pseudonymous

account as it is for one registered to Thomas Paine or the Federalist

Publishing Company. The Famous Name Corporation can still sue a John

Doe defendant, seek his identity from an ISP, and persuade a court to

have the registration transferred to it.

If a Unabomber wishes to publish his manifesto anonymously, he is

likely to find other options preferable to registering the domain

ExplodeTechnologists.org. Even if he did wish to establish such a

web site, he would be more likely to give his administrative contact

address as Mauritius rather than Montana. The FBI would be no more

hampered by pseudonymous registration than the false details in this

registration; its agents would probably sooner seek the assistance

of the ISP hosting the domain rather than sending field agents to the

Indian Ocean. Some spammers favor disposable return email addresses,

which pseudonymous registrations could provide, but they are already have

that by claiming to be from the Martian embassy, or less flagrant false

addresses. Also, free web-based email services have a cost advantage

to the spammer over domain name registration. In short, pseudonymous

registration of domain names seems unlikely to lower the practical level

of accountability for objectionable behavior, because such behavior can

more reliably and appropriately traced by other means.

Pseudonymous registration does raise some logistic questions, such as

how renewal notices are to be sent (perhaps by anonymous remailers),

but I believe that deliberation would likely find practicable solutions,

so I suggest that ICANN investigate the question.

This is one of the following several specific recommendations I

respectfully submit to ICANN and the committee to improve the privacy

of registrants and Internet users.

Recommendations

1) UCE field: The addition to the registration database of a field

indicating the registrant's disposition towards Unsolicited Commercial

Email from any party to email addresses within the domain (not merely

the one provided as part of the registration). At least three possible

registrant responses should be supported: unwilling, willing, and not

indicated.

This measure has similarities to the "do-not-call" lists and "asterisk

laws" that several states have passed against telemarketers. The UCE

field may be usable under existing state anti-spam legislation such as

California's, and possibly by future federal and state legislation.

2) Disclosure election: Registrants should be given the opportunity

to indicate their disposition toward disclosure by their registrar of

billing and admin contact information. At least three possible registrant

responses should be supported: unwilling, desired, and not indicated.

I believe ICANN should require this of registrars. This option should

apply not merely to email address, but to all contact data. Domain name

registrants receive a great deal of junk physical mail as a result of

registering (some due to their registrar actively selling the contact

details as a mailing list). Registrants should not have to be burdened

with this.

In the case of Registrars who wish to sell for marketing purposes contact

information about their registrants (versus distributing it via the

Whois database), separate affirmative consent should be required (opt-in).

3) Population of fields: A program to encourage or require registrars

to seek and process customers' elections for the above two fields (UCE

and disclosure).

Registrants need not be immediately pestered for a response, but

the process should be easily available via the registrar's web site,

and the question should be posed prominently at the time of renewal.

Consideration should be given to whether the registrant's response ought

to be made public as part of the Whois database; this transparency may

be beneficial in seeing whether registrars are withholding or providing

data about registrants who have made no election.

4) Plaintiff's procedures: The development of standard procedures for the

processing by registrars of requests for the on-forwarding of messages

to, or the disclosure of contact information about, registrants who have

elected against disclosure of their contact information.

A typical question here is what should happen when a trademark owner

wishes to send a cease-and-desist notice to the operator of a web site.

The procedure should not impose undue burdens or liability on registrars.

5) Development of appropriate legal mechanisms to support the three

points above.

Privacy rights require an enforcement mechanism with a sound legal basis.

For example, if a registrar discloses a registrant's personal data

contrary to her instructions, what procedures does she have for redress?

6) Pseudonymous registration: The development of appropriate mechanisms

to support pseudonymous registrations.

I believe that the steps I recommend above would greatly improve

the privacy of Internet participants without significant deleterious

side-effects.

I appreciate the opportunity to speak with you today. I would be pleased

to answer your questions.