Shareholders benefit from registry operator providing sanctuary to online criminals and child sex abusers; Congress instructed NTIA to fix the problem — here's how.
"The Internet is the real world now."
This assessment was offered by Protocol, a technology industry news site, following the very real violence on Capitol Hill during the counting of the electoral college votes that officially determines the next president of the United States. The media outlet went on to say that, "[t]he only difference is, you can do more things and reach more people online — with truth and with lies — than you can in the real world."
Despite a seminal role as the Internet's originator and a global leader in technology adoption, Americans have often struggled with addressing the negative ramifications of technology. One example is the debate about violence in video games, which has been cited as possibly contributing to tragic incidents of gun violence in American schools. Concerns about possible correlations between what teenagers were seeing in video games and what a small number of students then chose to act out in real life sparked a national conversation involving policy makers, parents, teachers, students, video game companies and a myriad of other stakeholders seeking solutions that might address the issue.
This robust engagement by a broad spectrum of stakeholders, particularly the video game industry itself, sits in stark contrast to the anemic, trying-but-not-really, effort seen from ICANN and its registry operators and registrars to make domain name registrant identification data available to U.S. law enforcement, American consumers, intellectual property owners, and other stakeholders with legitimate access needs.
To briefly summarize, following the global adoption of the European Union's General Data Protection Regulation (GDPR), ICANN unilaterally determined that the WHOIS database — which had been operating since the modern Internet's inception and before ICANN was created — contravened the E.U.'s new law and relieved registries and registrars from contractual obligations that required the collection of WHOIS registrant data.
ICANN then convened the comically misnamed and hapless Expedited Policy Development Process, or EPDP, to convene stakeholders and develop a solution. This so-called expedited process — which has been declared a failure of the multistakeholder governance model by ICANN's Governmental Advisory Council along with its Business and Intellectual Property Constituencies and others in minority statements accompanying proposed recommendations — has taken years to develop a proposed solution that enjoys little support from the stakeholders that developed it, isn't likely to be effective, and, in any event, will be implemented at a leisurely pace expected to be completed somewhere between years from now and never.
Considering that the availability of registrant identification data to anyone with access to the Internet has been a stated Internet policy imperative of the U.S. government since before ICANN existed and was referred to simply as NewCo, it is fair to consider that there is more — much more — to this process failure than meets the eye.
The reality is that registry operators and registrars have never been fans of collecting, storing, and making registrant identifiers available. However, before ICANN unceremoniously disposed of WHOIS, every registry operator provided what is known as Thick WHOIS data — which, as the adjective suggests, includes registrant identifiers along with basic Thin WHOIS data about the domain name itself — with one glaring exception: Verisign.
Thick WHOIS was approved for implementation by ICANN's Board in February 2014. Nearly three years passed until a Proposed Policy Implementation plan was issued for .com, .net, and .jobs — all Verisign-operated — to transition to Thick WHOIS and also set deadlines of May 2018 and February 2019 for compliance. Five years would seem a generous allotment of time for complying with a data-collection rule that every single other registry and registrar were already complying with.
However, in October 2017, May 2018, October 2018, and March 2019, ICANN's Board granted six-month extensions requested by Verisign. Finally, in November 2019, ICANN's Board acquiesced to Verisign's fifth extension request by granting an indefinite deferral until a group of conditions are satisfied pertaining to implementation of the EPDP — developed replacement for WHOIS — which, as previously noted, is now known to be somewhere between years from now and never.
It is unclear what persuaded ICANN's Board that these delays affecting a majority of the Internet's domain names were in the public interest or anything other than a terribly awful idea. However, given recent evidence of ICANN's susceptibility to loosening consumer pricing safeguards after receiving $20 million contribution earmarked for "security, stability, and resiliency," one is forgiven for being curious about the street value of such pliancy.
What is beyond certain is that compliance costs weren't prohibitive for any of the much smaller and less profitable registries and registrars who all complied dutifully while their much bigger and much wealthier fellow registry skated by with endless delays. A sentient observer is forgiven for concluding that there is a double standard where, on one hand, the Internet's largest domain name monopolist enjoys a close working relationship and cozy alignment with ICANN that produces tangible beneficial outcomes while, on the other hand, are the hoi polloi, the great unwashed, and les miserables — otherwise known as everybody else.
Regardless, security, stability, and resiliency, or SSR, is an unfortunate, limited, and network-centric view of the mission for Internet policy that is dangerously outmoded. A more modish view, perhaps, would put humans at the center of Internet policy development and this may result in which could result in a more expanded and expansive view, not of authority or mandate, but of obligation and duty as more stakeholders began viewing safety as a necessary addition to the SSR trifecta.
That being said, the consequences of network-centric thinking are clear and terrible things are being perpetrated in the deep shadows cast by the void of registrant identifier data. The harm to American persons and property is undeniable and multiple U.S. federal agencies have weighed in with increasing alarm.
- In 2006, then-Chairman of the Federal Trade Commission, Jon Leibowitz, traveled to ICANN's meeting in Morocco and warned that, "(t)he FTC is concerned that any attempt to limit Whois to this narrow purpose will put its ability to protect consumers and their privacy in peril."
- More recently, in 2020, the FTC wrote to Congress and said, "(t)he FTC uses this (WHOIS) information to help identify wrongdoers and their location, halt their conduct, and preserve money to return to defrauded victims."
- The Department of Homeland Security has also weighed in, saying in a 2020 letter that, "(s)ince the implementation of GDPR, HSI has recognized the lack of availability to complete WHOIS data as a significant issue that will continue to grow." DHS also cited in the same letter that lack of WHOIS information as hindering its response times to criminal activity.
- Perhaps most damning, however, is the State Department's official statement of U.S. policy regarding GDPR which declared, "...WHOIS no longer functions properly. As a result, criminal investigations necessary to protect the public — including the most vulnerable, such as children who are subject to online sexual abuse — have been impeded."
Let that sink in for a moment: the official position of the United States government is that the deliberate dysfunction of WHOIS directly correlates to the sexual victimization of children. Then consider the words written in a letter by a consortium of groups combatting online sexual abuse of children which said:
"Verisign is uniquely unforthcoming. We have regularly worked and had conversations with just about every Internet company you can think of and quite a few you are unlikely to know. Only Verisign has been so utterly uncommunicative. This is a very poor show and runs completely contrary to the spirit of multi-stakeholderism."
The letter continues in strong and unequivocal language:
"To put the matter plainly, it is immoral for a business to attempt to deflect responsibility by arguing these matters are the sole provenance of law enforcement and courts. As the dominant registry in the global system, Verisign should be taking a leadership position, adopting voluntary procedures to combat online child sexual abuse."
Considering that a 2017 report of the Internet Watch Foundation found that 79% of all child sexual abuse webpages reside in .com and .net, one might consider appealing to those who are actually benefitting from the registration fees that are collected by Verisign for the domain registrations used for such heinous activity. A quick search online reveals that Verisign is, by and large, owned by a veritable cornucopia of the richest and most powerful institutional investment firms in the world.
There are too many to list here but, as of September 2020, the top four, each with an equity position that exceed $1 billion, are Berkshire Hathaway, Vanguard Group, BlackRock, and Renaissance Technologies. Far from enlightened, however, Verisign shareholders are, in fact, malefactors of great wealth who are profiting from registration fees that are paid to Verisign by intellectual property thieves, child sex abusers, and other criminals that operate in the Internet's largest registries. These bad actors remain unmolested because the registry operator not only didn't implement essential Thick WHOIS data requirements that protect Americans but also stood by and did nothing while ICANN incinerated WHOIS entirely.
It is important to keep in mind that this is a company operating risk-free legacy registries entrusted to it by the U.S. government with the explicit understanding that it could enjoy ridiculously massive profits in exchange for nothing more than protecting the public interest. Considering the literally gross profit margins being generated, the question for shareholders is simple: if they are benefiting from this, then they should know about it; if they aren't, then it shouldn't be happening.
The time for discussion and debate is over. There is too much bad faith, too many agendas, and too much water under the bridge. Fortunately, since there is no requirement that ICANN must oversee the collection of registrant identifiers — and it has more than proven itself incompetent and incapable of doing so — the solution is likely very simple.
Availability of registrant identifiers has always been a priority of the U.S. government and it should solve the problem in much the same way that the E.U. precipitated it: by setting a policy that must be complied with by every registry and registrar that maintains a domain name registration that is, or may be, accessed by an American citizen. Failure to comply should result in the levying of hefty fines and, if necessary, seizures of domain names and other assets just as the U.S. Treasury Department does for money laundering, terrorist financing, narcotics distribution, and other crimes. Why should online sexual abuse of children, illegal opioid sales, intellectual property theft, and other crimes that harm Americans be combatted any less vigorously?
In the past, domain name registrant data could be found online at internic.net and after ICANN's formation, it was granted a license to the InterNic trademark and website. But the trademark is still owned by the U.S. Commerce Department which should send a strong and unmistakable message of no-confidence to ICANN and its contracted parties by cancelling the license and reclaiming its property as the new forever home for registrant identifier data that is "available to anyone with access to the Internet."
Written by Greg Thomas, Founder of The Viking Group LLC