Internet Domain Name Fraud - the U.S. Government’s Role
in Ensuring Public Access to Accurate Whois Data
Prepared Testimony of
Counsel, Copyright Coalition on Domain Names
Subcommittee on Courts, the Internet and Intellectual Property
Committee on the Judiciary
United States House of Representatives
September 4, 2003
Steven J. Metalitz
Smith & Metalitz LLP
1747 Pennsylvania Avenue, NW, Suite 825
Washington, DC 20006-4637 USA
Tel: (202) 833-4198; Fax: (202) 872-0546
Email: metalitz@smimetlaw.com
U.S. House Judiciary Committee
Subcommittee on Courts, the Internet and Intellectual Property
September 4, 2003
Summary of Testimony of Steven J. Metalitz
Counsel, Copyright Coalition on Domain Names
The Copyright Coalition on Domain Names (“CCDN”) is made up of leading copyright industry trade associations; performance rights organizations; and copyright-owning companies. Its focus is to maintain public access to Whois data, and improve its accuracy and reliability, as a key enforcement tool against online infringement.
· WHOIS: Accuracy and Accessibility are Critical to E-Commerce and Accountability Online
Access to accurate and reliable Whois data is not only important for enforcing intellectual property rights, but is also vital for consumer protection; law enforcement investigations of online crimes; and network security. The recent epidemic of “phishing” or corporate identity theft involves all these concerns, and accurate Whois data could play a critical role in preventing or investigating such frauds. All Internet users have a stake in keeping Whois data accessible and making it more accurate.
· Whois Data Quality Remains Poor, and its Accessibility Has Decreased
The Whois database remains riddled with inaccurate data, as it was at the time of the last hearing in 2002. Whois data has also become less accessible: registrars are evading or defying their contractual obligations to ICANN, and have essentially eliminated bulk access to Whois data. Within the fastest growing part of domain name space - country code Top Level Domains (ccTLDs) -- accessibility of registrant contact data remains wildly inconsistent.
· What is ICANN Doing About the Problem?
ICANN established a mechanism for receiving complaints of false Whois data and passing these complaints along to registrars for action. But it is unclear that this mechanism has had any impact on making Whois data more accurate. For more than two years, an ICANN task force exhaustively studied Whois issues, but its final recommendations were extremely modest and unlikely to be effective. There has been progress in bringing ccTLDs under the ICANN umbrella, but only under terms that rule out any role for ICANN in Whois policies. The basic problem remains: ICANN has never effectively enforced the contractual commitments that registrars have made as a condition of receiving accreditation. Despite new leadership and re-organization, this failure, unless corrected, compromises ICANN’s prospects.
· How to improve the situation
The impending expiration of the Memorandum of Understanding between the Commerce Department and ICANN marks a critical juncture. We urge DOC to (1) obtain an ICANN commitment to contract enforcement, embodied in the MOU; (2) keep a close eye on the Whois policy development process; (3) build an international constituency for Whois within the ICANN Governmental Advisory Committee (“GAC”); (4) push for best practices on ccTLDs; (5) advocate within intergovernmental organizations for accessible and accurate Whois; 6) be alert for other international fora where this issue can be advanced. Beyond oversight, Congress needs to consider legislative options, particularly if an ICANN contractual enforcement campaign never materializes or is ineffective.
Chairman Smith, Representative Berman, and members of the Subcommittee:
Thank you for this opportunity to appear again to present the views of organizations of copyright owners on an issue that is vital to the enforcement of intellectual property rights in the online environment: ready access to accurate Whois data.
Before beginning my testimony, I would like to commend the subcommittee for its diligent and consistent focus on this critical issue over the past several years. The convening of this timely hearing, as well as the letter which Chairman Smith and Representative Berman sent to Secretary Evans last month on this issue, should be applauded by all who care about the healthy development of the Internet and e-commerce.
I am here today as counsel to the Copyright Coalition on Domain Names (CCDN), which has worked since 1999 on this issue. CCDN participants include leading industry trade associations such as the Business Software Alliance (BSA), the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and the Software and Information Industry Association (SIIA); the two largest organizations administering the performance right in musical compositions, ASCAP and BMI; and major copyright-owning companies such as AOL Time Warner and the Walt Disney Company.
The interests of copyright owners in preserving and improving access to reliable Whois data overlap considerably with those of trademark owners. Of course, many of the companies participating in CCDN, either directly or through their trade associations, own some of the world’s most valuable trademarks and service marks. These companies invest heavily in defending these marks against infringements of their intellectual property rights that take place online. Many of my remarks today apply at least as much to trademark concerns as they do to copyright matters.
This testimony will address four main questions:
· Why is real-time public access to complete and accurate Whois data essential?
· What is the current situation, and how has it changed since the Subcommittee’s last hearing on the topic in May 2002?
· What is ICANN doing about the problem?
· What steps can be taken by the Department of Commerce - or by Congress - to improve the situation?
I. WHOIS: Accuracy and Accessibility are Critical to E-Commerce and Accountability Online
In its hearings over the past few years, this Subcommittee has compiled a comprehensive record, establishing why it is essential for the public to continue to have real-time access to contact data on domain name registrants - referred to as “Whois data” - and why the accuracy and currentness of this data is of the utmost concern. CCDN’s primary focus is on the availability of Whois data for use in enforcing intellectual property rights online, but we know that is only part of a wider picture of the importance of accurate and accessible Whois.
As you know, copyright owners are currently battling an epidemic of online piracy. Whois is a key tool for investigating these cases and identifying the parties responsible. Every pirate site has an address on the Internet; and through Whois and similar databases, virtually every Internet address can be linked to contact information about the party that registered the domain name corresponding to the site; about the party that hosts the site; or about the party that provides connectivity to it. No online piracy case can be resolved through the use of Whois alone; but nearly every online piracy investigation involves the use of Whois data at some point.
Trademark owners use Whois in a similar way to combat cybersquatting, the promotion of counterfeit products online, and a wide range of other online infringement problems. They also depend on accurate and accessible Whois for a number of other critical business purposes, such as trademark portfolio management, conducting due diligence on corporate acquisitions, and identifying company assets in insolvencies/bankruptcies.
Enforcing intellectual property rights is only one of the beneficial uses of Whois data. Others include:
· Consumer protection: In your hearings last year, the Federal Trade Commission explained how they rely upon accessible and accurate Whois data to track down online scam artists, particularly in the cross-border fraud cases to which consumer protection agencies around the world are devoting increasing attention.
· Law enforcement: You will hear from a representative of the FBI today about the role Whois data plays in law enforcement activities generally. Public access to this data is critical to facilitate the gathering of evidence in cases of crimes carried out online, particularly in complex cybercrimes.
· Network security: The applications of Whois data in this arena deserve more attention than they have received. When a virus is detected, a denial of service attack unfolds, or another threat to the security of networked computing resources is identified, the response often requires instantaneous access to Whois data. ICANN’s expert Security and Stability Advisory Committee recently concluded that “Whois data is important for the security and stability of the Internet” and that “the accuracy of Whois data used to provide contact information for the party responsible for an Internet resource must be improved.”
In practice, several of these well-established and vital uses of Whois data often overlap. Consider the troubling upsurge in cases of “phishing” or “corporate identity fraud.”
In recent weeks, hackers have set up “cloned sites” on the Internet that skillfully imitate the look and feel of the sites of major financial institutions, online service providers, or E-commerce companies, and that use domain names that are confusingly similar to the marks of these legitimate companies. These fraud artists then send mass e-mails to depositors, subscribers, or other customers of the legitimate companies, directing them to the cloned site where they are asked to provide social security numbers, PIN numbers, credit card numbers or other sensitive personal information, purportedly to “verify,” “update,” or “renew” their accounts. As the chairman of the FTC recently observed, “Phishing is a two time scam. Phishers first steal a company’s identity and then use it to victimize consumers by stealing their credit identities.”
Phishing is thus not only of concern to law enforcement agencies, consumer protection groups, intellectual property owners, and network security specialists: it also threatens the personal privacy of every consumer who is active online. Ready access to accurate Whois data can play a critical role in determining who is engaged in this scam and in bringing them to justice. Indeed, if the quality of Whois data were considerably more accurate than it is today, then it would be that much more difficult for this type of destructive fraud to be carried out.
Whois data has other important uses. It helps parents know who stands behind sites their children visit online; it helps consumers determine who they are dealing with when they shop online; and it plays a role in ferreting out the source of e-mail spam. In short, all Internet users need Whois to provide essential transparency and accountability on the Internet. We all have a stake in preserving and enhancing real-time access to this database, and in improving its quality and reliability.
II. Whois Data Quality Remains Poor, and its Accessibility Has Decreased Since the Last Hearing
Of course, Whois cannot perform the critical functions I have just mentioned if the data it contains is false, incomplete, inaccurate or out of date. As the record of your May 2002 hearing amply demonstrated, at that time the quality of Whois data was deplorably bad. So has the situation changed since then? In a word, no.
The Whois database remains riddled with inaccurate data. This problem has been so well documented, particularly in the work of Ben Edelman of the Berkman Center, that there is little I need to add to his statistical studies and anecdotal examples. Suffice it to say that the specific example of obviously false Whois data that I cited to the subcommittee in my testimony almost sixteen months ago remains in the database today. Indeed, the Whois data for this domain name was even updated in December 2002 - but apparently only to change the registrant’s “name” from “DVD Copy HQ” to “Rico Suave.” The address - 1000 Lavaland Lane, Flabberville, CA - remains unchanged, and is obviously phony.
Accuracy of Whois data was the focus of last year’s hearing. But the accessibility of Whois data is also a critical issue, and on that front it is clear that conditions have worsened since last May. For example, one of the key mechanisms for providing public access to Whois - “bulk access” - is in a shambles.
Under their contractual agreements with ICANN, domain name registrars are required to make Whois data on their registrants available under license in bulk. This “bulk Whois data” is used by licensees to create value-added services, such as those marketed in connection with trademark searches. The “bulk Whois” obligation has never been popular with registrars, partly because the ICANN contract caps the license fees they can charge. But over the past year, registrars have taken matters into their own hands. They have evaded or defied their contractual obligations to ICANN, and have essentially eliminated bulk access to Whois data.
Some registrars have imposed onerous ancillary restrictions in their bulk access contracts; others have deleted most of the registrations from their database before making it available via bulk access; other registrars have just stopped offering these licenses, even though they promised ICANN they would do so. ICANN has done nothing to stop this. As a result, since so little of the total universe of Whois data can be obtained under bulk licenses, many of the value-added services have been withdrawn from the market.
The agreements with ICANN also require that registrars make Whois information available in response to queries from the public, including via the Web. To date, most registrars continue to make some Whois data publicly available on a retail basis. But too often the data available is incomplete, provided in non-standard formats, or simply not fully accessible. At the same time, many registrars advocate changes to ICANN policies that would allow them to significantly reduce public access to Whois data. If, in the near future, registrars decide unilaterally to restrict query-based public access, just as they have done with bulk access, we have very little confidence that ICANN would move to stop them.
I should add here that the observations above apply only to contact data on registrants in .com, .net or .org - the so-called “legacy generic Top Level Domains,” (gTLDs) for which Whois data is decentralized and held by each registrar, not by the centralized registry. While this still represents most of the domain name universe, the fastest growing part of that universe is found in the 243 “country code Top Level Domains” (ccTLDs), the two-letter domains like .us, .uk and .de (the German ccTLD, which is the world’s largest). The accessibility of registrant contact data for the ccTLDs remains a patchwork quilt; while some ccTLD registries make this data readily available, others (including some of the largest ccTLDs) provide access to only very limited categories of data, or impose other restrictions on access that make it much more difficult to employ Whois.
III. What is ICANN Doing About the Problem?
Since the last hearing, and no doubt stimulated in great part by this Subcommittee’s clear interest in the topic, ICANN has taken some steps to address the problems with Whois. However, they fall far short of an effective response to the reality of continued low data quality and reduced access.
The main step taken by ICANN management was to establish a centralized mechanism for receiving complaints of false contact data in Whois and passing these complaints along to registrars for action. ICANN even went so far as to threaten one registrar with the loss of its ICANN accreditation if it failed to respond to a handful of specific complaints. But it is very difficult to tell if the creation of this complaint mechanism has had any real impact on the problem of false Whois data. ICANN has released very few statistics on the operation of the complaint system, and we understand that some registrars take the position that they are not even obligated to report back to ICANN on what action, if any, they have taken in response to a complaint.
ICANN’s Generic Name Supporting Organization (GNSO) has also undertaken a protracted process of examining Whois policy issues in an attempt to achieve consensus on what changes are needed. During its life span of over two years, the Whois Task Force conducted a massive online survey about how Whois was being used and what users expected from the system. It also issued a number of interim, draft and final reports. But in the end, the thousands of man-hours devoted to this effort produced remarkably little progress in addressing the problems plaguing Whois.
With respect to improving the accuracy of Whois data, in particular, the Task Force considered a number of proposed recommendations to require registrars to do more, in at least some circumstances, to increase the chances that the registrant contact data they are collecting is bona fide. Virtually all these proposals were rejected, deferred, or watered down to almost nothing. Inexpensive programs are available to registrars that will at least help screen out some false contact data; but registrars have shown little willingness to take even minimal reasonable steps to improve the quality of Whois data.
The final decision adopted by the Task Force and ultimately ratified by the GNSO and the ICANN Board boils down to this: registrars will be required to provide a reminder and an opportunity at least annually for registrants to update or correct their contact data in Whois. This extremely modest reform is likely to have little or no effect on the real problem: registrants who intentionally provide false contact data because they are making uses of domain names for which they do not want to be found.
Finally, with regard to the chaotic state of Whois accessibility in the ccTLDs, ICANN essentially seems to have thrown in the towel. The recent establishment of a country code name Supporting Organization (ccNSO) within the ICANN framework is certainly a positive step; but the scope of the ccNSO’s jurisdiction is extremely circumscribed and appears to rule out any policy role for ICANN on Whois issues.
In short, the current stance of ICANN on Whois reflects an all too familiar theme. Within the gTLD environment, the contractual framework for a viable Whois policy is already in place. In order to be accredited by ICANN to register domain names, registrars are required to notify registrants about the need to provide accurate, complete and current contact data; to obtain their consent for making this data available to the public through Whois; to take steps to ensure that the data is in fact bona fide; to respond to reports of false contact data (including by canceling registrations that are based on false data); and to make specified Whois data available to the public, both in real time on an individual query basis, and through bulk access, under specified terms and conditions. The problem is - and the problem has long been - that these obligations have never been effectively enforced by the one entity with clear authority to enforce them: ICANN.
Copyright and trademark owners, and the organizations that represent them, support ICANN. We support the underlying concepts of this great experiment in private sector self-management of a critical Internet resource. Through the Intellectual Property Constituency, we have participated actively in the many and manifold ICANN policy development processes, including those related to Whois, and will continue to do so. Much can be accomplished through dialogue in the ICANN framework, and we remain deeply engaged in that dialogue. But it is essential that ICANN understand that its failure to effectively tackle the problems plaguing Whois - which translates, to a great extent, to its failure to effectively enforce the contracts it has entered into with registrars and registries - is severely testing this continued support and engagement.
Under new leadership and with a reformed structure and charter, “ICANN 2.0” is laying great plans to take more comprehensive steps to ensure stability and security in the Domain Name System. But all those plans depend upon the development and implementation of voluntary agreements with key players. Unless and until ICANN can instill greater confidence in its approach by effectively enforcing the agreements it has already entered into, its future plans, and indeed perhaps its future viability, will remain shrouded in uncertainty.
The success of the ICANN model for private sector, consensus-based management of the DNS depends upon scrupulous observance of the contractual undertakings which embody the policies developed by ICANN. The widespread failure of registrars to abide by those undertakings with respect to Whois, and the even more disturbing failure of ICANN to enforce those undertakings vigorously, does not bode well for the success of the ICANN model. Accreditation by ICANN as a domain name registrar is not an entitlement, but a privilege regulated by contract; and ICANN has not effectively used the power to revoke accreditation in order to achieve higher levels of compliance with contractual commitments.
IV. What DOC should be doing to improve the situation
Mr. Chairman, in our testimony at last year’s hearing, we said that, with respect to the problems of accuracy and integrity of the Whois database, “the buck stops with ICANN.” I believe that you and Mr. Berman have correctly recognized that this statement is incomplete. In many respects, the buck stops with the Department of Commerce, which oversees and manages the relationship with ICANN as part of the overall task of managing the Domain Name System. That relationship is at a critical juncture with the impending expiration of the Memorandum of Understanding between the Department and ICANN. We believe that your letter of August 8 to Secretary Evans correctly framed many of the key questions that need to be answered in fashioning the terms and conditions under which that MOU will be extended past September 30.
The staff of the Department of Commerce, and the other US government representatives who have participated in ICANN, have certainly played a constructive role in encouraging ICANN to step up to the issues of Whois availability and accuracy. We believe that they can and should do more. Here are some specific proposals which we urge DOC to consider.
· (1) Obtain an ICANN commitment to contract enforcement, embodied in the MOU. As I have already noted, the ineffectiveness of ICANN’s enforcement of its agreements with registrars and registries has repercussions far beyond the issue of Whois. It is long past time for ICANN to commit to devoting adequate resources to the contract compliance, monitoring and enforcement functions, and to providing greater transparency in its enforcement efforts. In the MOU, ICANN should make this commitment, and also agree to much more detailed reporting on its efforts to ensure that registrars and registries meet their responsibilities with regard to Whois data quality and accessibility, among other issues. If ICANN demonstrates its readiness to prioritize contract enforcement activities, DOC should in turn be supportive of proposals for a moderate increase in the per-registration ICANN assessment fee collected by gTLD registrars, if this is needed to achieve adequate funding.
· (2) Keep a close eye on the Whois policy development process. Following a successful and informative set of workshops on Whois at its recent Montreal meeting, ICANN is embarking on a new phase of policy development activities with respect to Whois and privacy issues. While a number of issues could legitimately enter into this debate, these activities will be most constructive if they focus on incremental steps, particularly in improvement of the quality and accuracy of Whois data, rather than on more sweeping changes that could reduce or restrict access to Whois data and thus undermine the transparency and accountability that Whois can provide. ICANN’s CEO has already stressed the important role of governments in the reorganized ICANN framework for developing policy. The U.S. government should step up to this role in the case of Whois.
· (3) Build an international constituency for Whois within the ICANN Governmental Advisory Committee (GAC). Ordinary Internet users all around the world will benefit from the increased transparency and accountability that Whois can provide if the quality of its data is improved and if ready access to the data is maintained and enhanced. The governments that participate in the GAC will also benefit, since public access to accurate Whois data facilitates key government functions such as law enforcement, consumer protection, and protection of children from inappropriate online activities. However, these broader public safety and governmental concerns are not always voiced within the GAC, whose participants can be influenced by other bureaucratic and ideological goals. The US government participants in the GAC should make it a priority to build international support for the role of Whois, and to promote awareness of the social costs of restricting access to Whois or failing to address the accuracy issue.
· (4) Push for best practices on ccTLDs. Although ICANN may not be in a position at present to develop binding Whois policies for ccTLDs, there is much that DOC can do, including within the GAC, to encourage other governments to move their local ccTLD registries toward improved policies. The “GAC Principles for the Delegation and Administration of Country Code Top Level Domains,” adopted in 2000 as a result of U.S. leadership, provide a good starting point for this discussion, and their underlying approach should be maintained. DOC should also consider how our own ccTLD registry - .us - could be promoted as a model for others to emulate. The same agency within DOC both leads the US delegation to the GAC and administers the registry contract for .us; coordination between these two roles should be enhanced.
· (5) Advocate within intergovernmental organizations for accessible and accurate Whois. The World Intellectual Property Organization (WIPO) is a key forum in this regard. Its “ccTLD Best Practices for the Prevention and Resolution of Intellectual Property Disputes,” adopted in 2001, offer an excellent resource for ccTLDs seeking to adopt sound Whois policies. Because of the importance of Whois as an intellectual property enforcement tool, WIPO’s increased focus on enforcement best practices provides a good opportunity to reinforce the value of accurate and accessible Whois. In addition to WIPO, the International Telecommunications Union (ITU) is becoming increasingly active on issues relating to the domain name system (DNS). While it would certainly be counterproductive for ITU to usurp or supplant ICANN”s role, to the extent the ITU is involved, the USG should be engaged and should advocate for sound policies that promote the transparency and accountability of the DNS.
· (6) Be alert for other international fora. Promotion of sound Whois policies should be integrated into DOC’s trade policy, e-commerce, and other international activities. With regard to ccTLDs, future trade agreements should build on and improve the provisions of the Singapore and Chile Free Trade Agreements that call on signatories to promote Whois access and accuracy, as well as alternative resolution systems for domain name disputes within their national registries. DOC and other Executive Branch agencies should also consider how best to use fora such as the World Trade Organization to reduce impediments to public access to accurate Whois data, bearing in mind the obligation of all WTO member states to provide effective mechanisms against infringements of intellectual property rights, including those taking place online.
V. Legislative Options
Finally, although we recognize that this is an oversight hearing, we urge the subcommittee to also consider legislative changes that could advance the cause of accessible and accurate Whois data. Some relatively simple steps could help. For example, online criminals often submit false Whois data to evade detection when they set up an Internet site for use in carrying out piracy, fraud, or other offenses. It would make sense to adopt a provision increasing the potential sentence of a person convicted of carrying out a federal crime online, when it is proven that false contact data was intentionally submitted in furtherance of the criminal scheme.
The more complex challenge is to enhance existing incentives for registrars and registries to handle Whois data more responsibly. It is obvious that existing incentives are insufficient. Too many registrars and registries do far too little to screen out false contact data at the time of submission; to verify or spot-check contact data that is submitted; or, at a minimum, to respond promptly and effectively to complaints of false contact data, including by canceling the domain name registrations which the false data supports. We hope that more aggressive and effective enforcement by ICANN will make a difference. But if it does not, or if the needed ICANN enforcement campaign is not forthcoming, Congress must seriously consider stepping in to provide the incentives by statute. Should this occur, CCDN would be pleased to work with this Subcommittee on appropriate legislative options.
Thank you once again for the opportunity to testify today. I would be pleased to answer any questions.