Categories
Internet

ICANN: Enabling the stalker

You’ve had a weblog for a couple of years. You started out with a Blogspot weblog, but have since started your own domain.

You write about politics, but also about your life and interests, just like most webloggers. You’re aware of not giving away much about yourself, so you don’t talk about work or the private, intimate details of your life.

A couple of months ago, you bitched about having to get up so early because you had to be at work. Last week you talked about how early the sun is setting now and it’s almost dark when you get home. It’s full dark when your husband gets home.

Last weekend you and the hubby splurged on a new eMac. You worry about the expenditure because you also bought one of those new Panasoic TVs that project color on the wall behind the TV. You joke how you’re a sucker for all new gadgets that come out.

You’ve made halloween costumes for your kids — look, here’s photos of them. Aren’t they cute? Little Jim is eight and Barbara eleven now, they’re growing so fast. You think about taking them trick or treating, but you don’t know the neighborhood, you haven’t met any of your neighbors. How, when everyone works during the day, and have other activities on the weekend.

Oh, and you’re going to vote for Kerry.

Now, what’s so personal about any of this, and how can it enable a stalker. Shelley, you’re paranoid

Here’s what I know

From your information I know that you’re married, with two young kids. I know that both you and your husband work and are gone during the day. I know about what time you leave for work, and about what time you get home. I also know your husband is home later, which leaves you and the kiddies alone for a time.

You’re not the only one that’s gone during the day — most of your neighbors are, also. And just think, you have a house full of wonderful, and expensive, electronics.

You don’t have a man-eating dog named Bruno protecting the place as you never talk about him.

But then, you have these two cute little kids, and my that’s a pretty little girl, isn’t she?

Still…

Of course none of this matters because no one knows where you live. Except…

Except that you have a domain name, and a whois on that domain not only provides your name, but chances are your address and phone number, too.

Let’s face it, an online existence is full of exposure no matter how careful you are. However, it’s made even more precarious when stalking is actually enabled by an organization such as ICANN.

How ICANN Enables Stalking

ICANN is the Internet Corporation for Assigned Names and Numbers, and is the organization responsible for DNS, or the Domain Name System. Anytime you access a site by a name rather than an IP address, you do so through DNS, under the auspices of ICANN.

When you register a domain, at something like Dotster, which is one of my registrars, you’re working with an ICANN accredited registrar, who then ensures your domain name is connected with two different name servers — one as primary, the other as backup. These nameservers, then, are the servers that provide the actual domain name/IP address mapping. For example, this site is using nameservers provide by the hosting company, Hosting Matters.

All of this works remarkably well, and for much of the criticism of ICANN, we have seen it manage an explosive grown in online presence and activity. However, where ICANN fails, and fails absolutely miserably, is in maintaining the privacy of domain holders.

If you go out to the ICANN FAQ, one of the items on it is a response to the question, Will my name and contact information become publicly available?:

Information about who is responsible for domain names is publicly available to allow rapid resolution of technical problems and to permit enforcement of consumer protection, trademark, and other laws. The registrar will make this information available to the public on a “Whois” site. It is however possible to register a domain in the name of a third party, as long as they agree to accept responsibility — ask your registrar for further details.

In other words, to have a domain name, you have to provide contact information. If you do, anyone can use the Whois database and look this up. Anyone. If you try to obscure your contact information, you risk losing your domain.

Why do this? In a nutshell? Intellectual Property rights.

ICANN states that the reason they do this is for resolution of technical difficulties, but is rarely used as such. It’s also used against those who abuse their ISP’s domains or perhaps spam people, but having this information doesn’t do a bit of good. If you don’t get the response you want just by emailing the person responsible for a domain, it’s very unlikely you’ll do any better if you call them, or visit them. Those who have trapped email addresses from comment spammers and contacted the ISPs have discovered this for themselves.

As for illegal activities, well we all know how secure the Internet is from government agencies. Not.

No the main reason for this is so that people can legally go after those who violate their intellectual property rights, either by using a trademarked term at their site; or using copyrighted material such as photos, text, music, and other media in their pages.

That’s it–the reason most of us are exposed to stalkers of one form or another is so that Disney can protect it’s damn Mouse.

Recently a Whois task force was created to address domain names, Intellectual Property issue, and privacy. In July of this year, Robin Gross of IP Justice sent a letter to ICANN saying that ICANN threatens civil rights. In the letter, Gross wrote:

ICANN’s Whois database of personal information (including name, telephone number, home address, and email address) on millions of individuals who register domain names raises a number of significant civil liberties implications. Over-zealous intellectual property holders use the data to threaten and harass people who often have a lawful right to engage in the online activity but lack the resources to defend themselves. Law enforcement agents access the information in the course of investigations, skirting constitutional protections such as due process of law. Although originally collected for “technical purposes”, the Whois database of personal information has become a virtual honey-pot for abuse, irresistible to those seeking identifying information for any reason.

ICANN’s current policies regarding the Whois database of personal information threaten a number of fundamental freedoms, such as freedom of expression, the right to anonymity, freedom of association, and individual privacy rights. Although setting Internet governance policy, ICANN, a private corporation, makes rules that governments would not be legally permitted to make. Many national constitutions and international treaties guarantee freedom of expression and privacy rights to the public that ICANN’s Whois database policies routinely violate. Since ICANN is a private corporation, and not a government, it is immune from the procedural due process guarantees and other civil liberties protections enshrined in most national constitutions and international treaties.

ICANN forces Registrars to violate privacy laws by publishing registrants’ personal information without their consent. And it undermines fundamental freedom of expression and association guarantees by prohibiting anonymous website publishing. To have any legitimacy, ICANN’s policies for management of the Whois database should, at a minimum, measure up to the standards agreed to in international treaties and national courts dealing with freedom of expression and ensuring consumer privacy protections.

You can follow more on Whois Privacy at this ICANN page. If you look at the summary report from the task force’s effort, you’ll see a lot of analogies with cars and bikes and how ICANN needs to change, but change is best in small steps.Which goes to show that the task force has, to all intents and purposes, not listened to the people who sent letters such as Mr. Gross from IP Justice.

As it stands now, the full Whois privacy statement given to registrars to use can be seen at the ICANN site and includes requirements such as having to provide a postal address, complete phone number information, all of which has to be updated yearly (I’m currently overdue for all my domains — I’m thinking of setting the mailing address to Disney’s home headquarters.)

When you do, unless you specifically tell them how to remove you from the lists, you’ll get letters from people trying to intimidate you into registering all variations of your domain (such as yourdomain.us, yourdomain.org, and so on) or you’ll lose your site ‘identity — not to mention the ocmpanies trying to steal you away from your current registrar.

Even Google, which provides phone number and addresses for people if you search on a name and a city, has an easy to use Phonebook removal page to remove yourself from Google’s Phonebook. ICANN needs something as easy.

(Note to many of you I know — you’re still in the Google Phonebook. In fact, to demonstrate the dangers of this, I came close today to calling several of you, to breath heavily into the phone; except for some odd reason, I was pretty sure many of you would enjoy this, and that’s too kink for me. Regardless, may I suggest you search on the head of household name and city or state and if you see yourself, remove yourself?)

What can you do

Some of us can do more to kick ICANN in the butt about privacy more than others. And hopefully will, and quickly. For the rest of us, you have a couple of options.

First, you can register with a Registrar that’s willing to provide you with a contact for your domain. What this means then is that this contact information will show up in the record during a Whois lookup, not yours. It’s legal, because if they get contacted about your account, because bad you has copied someone’s Mouse picture, they’ll pass that contact on to you, without revealing your name or other information. This is the securest, safest approach to take.

(I’ve started a page at the Wiki to collect URLs for registrars who provide this type of service. If you know of any, and don’t see them on the list, please add them.)

Failing that, you could consider getting a post office box and using this for your address, but this exposes your name and phone number. Of course, many of us put our names with our sites — but not all.

Summary

What never fails to amaze me is how the US is leaning towards re-electing the current President largely because of his handling of security against terrorists. We’ve spent billions on this — enough to have provided adequate health care coverage for every person living here. We’ve given up our freedoms, and antagonized other countries. We’ve even invaded another country.

Yet we’ll get weblogs and post photos of our kids on Flickr, start weblogs for our kids, get domain names with our address and contact information, and tell everyone every last bit of our day to day itineary.

Not only that, but we post photos of our home — inside and out– and also provide loving detail of all the nice new gadgets we’ve bought, not to mention our software and music libraries.

We tell everyone where we’re going to be, and when; especially when we’re going to be out of town, and our homes empty. And we think nothing of announcing a general meetup with anyone in an area who wants to come.

I think our priorities are a little off.

Some more safety tips:

  • In addition to using a registrar who will hide your contact information, you should get with your family and establish a security politicy for online activities. This includes monitoring who your kids chat with, as well as talking about what will and will not be featured on weblogs.
  • I love to see pictures of people’s kids online, but this is not a good idea, unless you are weblogging anonymously.
  • Tell people about your trips — after you’ve returned. No need to talk about it before hand. If you want to meet up with people in your destination city, choose from among the people you know already and contact them directly.
  • Don’t give out daily routine information, about the road you travel, and the hours you work. And don’t blare out for all to hear about your home being empty, or your kid all alone.
  • Do not every mention your kids school, or show pictures of your home or other importatant locations in such a way that the addresses can be derived.
  • If you have grandkids, sure post photos of them. And talk about their recent visit — but don’t tell people ahead of time on your weblog that your grandkids are coming to visit this coming weekend.
  • If you’re a pretty young woman (or boy) and you want to post your address and phone number and semi-naked photos of yourself everywhere, please don’t come crying to us when you get stalked — use some common sense.

Use some common sense. That’s the key. We don’t have to be paranoid as much as we should be aware.

I’m one to talk, as my domains are currently wide open. However, now that I have the bucks, I’m in the process of moving my domains to a registrar who will protect my information. Until then, my address is there for all to see. That’s great: send me birthday cards in a couple of weeks, or roses now. Better yet, make that orchids–I love exotic flowers.

After all, I can trust all of you. Right?