Sunday, September 30, 2007

Collision of Privacy and Security? has an article up entitled Dot-Name Becomes Cybercrime Haven which discusses security implications of fees which are charged by Global Name Registry, the entity which administers domain names ending in ".name". For most domains (e.g., those ending in ".com") you can easily and without paying any fee find out who has registered the domain. However, with domains ending in ".name", to find out who has registered a domain, it is necessary to pay a fee of $2.00. The wired article makes this sound like a catastrophe for security, quoting one researcher who says that "What they have done is made sure the .name TLD is free haven for bad guys to lurk on...If I need to report 1,000 domains, I'm not going pay $2,000." But is charging $2.00 to learn who registered a domain really such a problem for security? After all, if a black hat hacker registers a .com domain, it seems very unlikely that they'd use their real name and address to do so (something which was pointed out in this comment to the story). Similarly, if Global Name Registry was served with legal papers, they'd almost certainly cough up the registration information without a fight. Thus, charging a gatekeeping fee seems to be just what the president of Global Name Registry said in his own comment to the story: a compromise between protecting the privacy of individuals and the legacy of openness which has been one of the hallmarks of the Whois domain name system.

The problem with that is that Global Name Registry's protestations about caring for individual privacy are totally disingenuous. For example, to sign up for a ".name" domain you have to agree to terms and conditions which include the following privacy policy:

PRIVACY POLICY: You agree and consent that we will make available the domain name registration information you provide or that we otherwise maintain to the following parties: ICANN, the Registry administrator, and to other third parties as ICANN and applicable laws may require or permit (including through web-based and other on-line WHOIS lookup systems), whether during or after the term of your domain name registration services of the domain name. You hereby irrevocably waive any and all claims and causes of action you may have arising from such disclosure or use of such information. Additionally, you acknowledge that ICANN may establish or modify the guidelines, limits and/or requirements that relate to the amount and type of information that we may or must make available to the public or to private entities, and the manner in which such information is made available.
(emphasis added)

In other words, as long as the law doesn't prohibit Global Name Registry from disclosing information, you agree that they'll do so - not exactly the policy of an organization which values its customers' privacy. Instead, it's exactly the policy you'd expect from an organization which wished to maximize its profit.

No comments: