An open letter to PFIR on "Whois" privacy [priv]

[Declan McCullagh <declan () well com>]

[I invite PFIR to reply. --Declan]


-------- Original Message --------
Subject: An open letter to PFIR on DNS WHOIS
Date: Tue, 22 Jun 2004 21:09:11 -0400
From: Tom Cross <tom () memestreams net>
To: lauren () pfir org, neumann () pfir org, dave () farber net
CC: declan () well com, whois-tf1-report-comments () gnso icann org

An open letter to People for Internet Responsibility on Access to DNS
WHOIS Data

Mr Weinstien, Mr. Neumann, and Mr. Farber,

        Shocked, awed, and appalled. Thats the only way that I can express how
I felt when I read PFIR's Statement on Access to WHOIS Data.
(http://www.pfir.org/statements/whois-access) Lauren Weinstein, Peter
Neumann, and David Farber are three men who have provided sharp and
insightful leadership to the internet community for years, and are well
known, well respected, and well read by just about anyone who cares
deeply about technology issues. I do not always find myself agreeing
with your various opinions, but never have I seen any of you express
ideas so caustic to the values that I hold dear, and so lacking in
thoughtful balance, then those expressed in this essay. Its like I've
walked through the looking glass.

Anonymous Speech is a RIGHT, not a privilege.

This point has been reaffirmed over and over again by almost 230 years
of American jurisprudence of which you surely must be aware. The
Federalist Papers, published anonymously, are so fundamental to our
system of government that every high school student is required to
study them. The Supreme Court has repeatedly defended anonymous speech,
and frankly, I cannot express this point more clearly then Justice
Stevens did in McIntyre V. Ohio Elections Commission (1995):

"Under our Constitution, anonymous pamphleteering is not a pernicious,
fraudulent practice, but an honorable tradition of advocacy and of
dissent. Anonymity is a shield from the tyranny of the majority. See
generally J. S. Mill,  On Liberty, in On Liberty and Considerations on
Representative Government  1, 3-4 (R. McCallum ed. 1947). It thus
exemplifies the purpose behind the Bill of Rights, and of the First
Amendment in particular: to protect unpopular individuals from
retaliation--and their ideas from suppression--at the hand of an
intolerant society. The right to remain anonymous may be abused when it
shields fraudulent conduct. But political speech by its nature will
sometimes have unpalatable consequences, and, in general, our society
accords greater weight to the value of free speech than to the dangers
of its misuse."

We cannot relegate political speech on the Internet to second class
citizenship.

The "extremely limited set of cases where domain holders might
demonstrate a clear public safety or other critical need that may
possibly justify masking of some WHOIS data" is the set of ALL
political websites on the Internet. The Internet presently supports a
vibrant ecology of political websites and weblogs of every flavor and
prejudice. Together they constitute a meaningful discourse on nearly
every issue of the day. A large portion of these sites employ WHOIS
proxies or publish limited contact
information.

It is easy, even in the United States, to find examples of individuals
who have been the target of violent retaliation because they have
expressed their political views. Consider, for example, the recent case
in San Francisco of a gallery owner who was assaulted because of a
political artwork she put on display:

http://tinyurl.com/27wvb

If maintainers of political websites and weblogs are forced to offer up
their personal contact information in order to hold a domain name, then
these speakers will not hold domain names. Political speech on the
internet will be a secondary activity occurring on shared hosting sites
and multi-partisan discussion boards with no easy reference points for
like minded communities. In other words, political speech will be put
on the back burner, and the Internet will have less impact in the
political domain then it otherwise would.

You guys are barking up the wrong tree.

DNS WHOIS is NOT the right tool for investigating security incidents on
the Internet! To be sure, DNS WHOIS is a convenient place for
organizations to voluntarily publish contact information, and that
information is helpful when it is present, but security incidents do
not come from domain names, they come from IP addresses. IP addresses
are not always associated with registered domain names. Often they are
associated with subdomains, or not associated with DNS at all.

IP addresses can be resolved in the numbering authority's WHOIS
database for the contact information of the ISP providing service to
that address. Security and reliability issues relating to internet
traffic can and should be dealt with through ISPs. There are
significant problems with the accuracy and resolution of the numbering
authority WHOIS systems, and some ISPs have poor abuse and incident
response policies. Unlike the difficulties with accurate DNS WHOIS
data, these are manageable problems. ISPs have the resources to
maintain accurate contact information and full time incident response
contacts. We simply need to put appropriate policies in place to
improve practices. This is a much more realistic goal then getting
everyone in the world to keep their DNS WHOIS data up to date all the
time. Why are we spending so much time talking about DNS WHOIS when
fixing IP address WHOIS is the best, and easiest way to improve the
security and reliability of the Internet?

You guys are standing along side corrupt interests.

A large number of the people who are advocating accurate DNS WHOIS data
have absolutely no interest in the security or reliability of the
Internet. They are not trying to find a way to contact people because
of technical issues. They are intellectual property holders and they
want every website to have a public address where they can serve
threats of prosecution should they decide that the contents of the
website in question offend their interests.

These people do not want to comply with the due process that our legal
system affords defendants in such cases because its expensive, and
because it means explaining their claims to a judge. They don't want to
deal with ISPs for similar reasons. Frequently, as I'm sure you are
aware, legal threats are sent out which have absolutely no basis in
law. The individuals who receive them often have to comply because they
simply don't have the resources to defend themselves even if they are
in the right. Consider the archives at http://www.chillingeffects.org/

How much time should be required between, for example, the appearance
of forged e-mails or wider Internet postings containing libelous
materials, false accusations aimed at ruining reputations or causing
massive financial loss, vs. the ability of the aggrieved party to start
discovering who is behind the attack before reputations or even entire
organizations are massively damaged?

EXACTLY the amount of time that a COURT needs to deliberatively balance
the interests of both parties to the dispute. Not every party who
claims a grievance is in the right! We have a process in the United
States that allows an aggrieved party to prosecute a John Doe defendant
and obtain access to that defendant if their claim is reasonable. We
even have facilities for accelerating the usual processes if the
circumstances are extenuating. To build an alternate structure with the
intent of short cutting these processes is to do an end run around our
democratic system of government!

These are not technical security and reliability issues. These are
content issues, and they should be dealt with through the legal system,
not through ICANN. I strongly urge you to carefully reconsider your
position on this matter.

Tom Cross
Just an ordinary unknown computer geek.


_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)