[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
ICANN AND THE WHOIS DATABASE:
PROVIDING ACCESS TO PROTECT
CONSUMERS FROM PHISHING
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
FINANCIAL INSTITUTIONS AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
JULY 18, 2006
__________
Printed for the use of the Committee on Financial Services
Serial No. 109-108
U.S. GOVERNMENT PRINTING OFFICE
31-537 PDF WASHINGTON : 2007
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP,
Washington, DC 20402-0001
HOUSE COMMITTEE ON FINANCIAL SERVICES
MICHAEL G. OXLEY, Ohio, Chairman
JAMES A. LEACH, Iowa BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana PAUL E. KANJORSKI, Pennsylvania
DEBORAH PRYCE, Ohio MAXINE WATERS, California
SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma MELVIN L. WATT, North Carolina
ROBERT W. NEY, Ohio GARY L. ACKERMAN, New York
SUE W. KELLY, New York, Vice Chair DARLENE HOOLEY, Oregon
RON PAUL, Texas JULIA CARSON, Indiana
PAUL E. GILLMOR, Ohio BRAD SHERMAN, California
JIM RYUN, Kansas GREGORY W. MEEKS, New York
STEVEN C. LaTOURETTE, Ohio BARBARA LEE, California
DONALD A. MANZULLO, Illinois DENNIS MOORE, Kansas
WALTER B. JONES, Jr., North MICHAEL E. CAPUANO, Massachusetts
Carolina HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois RUBEN HINOJOSA, Texas
CHRISTOPHER SHAYS, Connecticut JOSEPH CROWLEY, New York
VITO FOSSELLA, New York WM. LACY CLAY, Missouri
GARY G. MILLER, California STEVE ISRAEL, New York
PATRICK J. TIBERI, Ohio CAROLYN McCARTHY, New York
MARK R. KENNEDY, Minnesota JOE BACA, California
TOM FEENEY, Florida JIM MATHESON, Utah
JEB HENSARLING, Texas STEPHEN F. LYNCH, Massachusetts
SCOTT GARRETT, New Jersey BRAD MILLER, North Carolina
GINNY BROWN-WAITE, Florida DAVID SCOTT, Georgia
J. GRESHAM BARRETT, South Carolina ARTUR DAVIS, Alabama
KATHERINE HARRIS, Florida AL GREEN, Texas
RICK RENZI, Arizona EMANUEL CLEAVER, Missouri
JIM GERLACH, Pennsylvania MELISSA L. BEAN, Illinois
STEVAN PEARCE, New Mexico DEBBIE WASSERMAN SCHULTZ, Florida
RANDY NEUGEBAUER, Texas GWEN MOORE, Wisconsin,
TOM PRICE, Georgia
MICHAEL G. FITZPATRICK, BERNARD SANDERS, Vermont
Pennsylvania
GEOFF DAVIS, Kentucky
PATRICK T. McHENRY, North Carolina
CAMPBELL, JOHN, California
Robert U. Foster, III, Staff Director
Subcommittee on Financial Institutions and Consumer Credit
SPENCER BACHUS, Alabama, Chairman
WALTER B. JONES, Jr., North BERNARD SANDERS, Vermont
Carolina, Vice Chairman CAROLYN B. MALONEY, New York
RICHARD H. BAKER, Louisiana MELVIN L. WATT, North Carolina
MICHAEL N. CASTLE, Delaware GARY L. ACKERMAN, New York
EDWARD R. ROYCE, California BRAD SHERMAN, California
FRANK D. LUCAS, Oklahoma GREGORY W. MEEKS, New York
SUE W. KELLY, New York LUIS V. GUTIERREZ, Illinois
RON PAUL, Texas DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio PAUL E. KANJORSKI, Pennsylvania
JIM RYUN, Kansas MAXINE WATERS, California
STEVEN C. LaTOURETTE, Ohio DARLENE HOOLEY, Oregon
JUDY BIGGERT, Illinois JULIA CARSON, Indiana
VITO FOSSELLA, New York HAROLD E. FORD, Jr., Tennessee
GARY G. MILLER, California RUBEN HINOJOSA, Texas
PATRICK J. TIBERI, Ohio JOSEPH CROWLEY, New York
TOM FEENEY, Florida STEVE ISRAEL, New York
JEB HENSARLING, Texas CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey JOE BACA, California
GINNY BROWN-WAITE, Florida AL GREEN, Texas
J. GRESHAM BARRETT, South Carolina GWEN MOORE, Wisconsin
RICK RENZI, Arizona WM. LACY CLAY, Missouri
STEVAN PEARCE, New Mexico JIM MATHESON, Utah
RANDY NEUGEBAUER, Texas BARNEY FRANK, Massachusetts
TOM PRICE, Georgia
PATRICK T. McHENRY, North Carolina
MICHAEL G. OXLEY, Ohio
C O N T E N T S
----------
Page
Hearing held on:
July 18, 2006................................................ 1
Appendix:
July 18, 2006................................................ 37
WITNESSES
Tuesday, July 18, 2006
Allen, Catherine, CEO, BITS/Financial Services Roundtable........ 17
Bohannon, Mark, General Counsel and Senior Vice President,
Software and Information Industry Association.................. 20
Harrington, Eileen, Deputy Director, Bureau of Consumer
Protection, Federal Trade Commission........................... 4
Kneuer, John M.R., Acting Assistant Secretary of Commerce for
Communications and Information and Administrator of National
Telecommunications and Information Administration, U.S.
Department of Commerce......................................... 3
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center............................................. 22
APPENDIX
Prepared statements:
Bachus, Hon. Spencer......................................... 38
Waters, Hon. Maxine.......................................... 42
Allen, Catherine............................................. 46
Bohannon, Mark............................................... 69
Harrington, Eileen........................................... 82
Kneuer, John M.R............................................. 97
Rotenberg, Marc.............................................. 103
Additional Material Submitted for the Record
Statement of the American Intellectual Property Law
Association................................................ 115
Statement of Lynn Goodendorf................................. 117
Letter from National Association of Federal Credit Unions.... 121
Various letters to Internet Corporation for Assigned Names
and Numbers (ICANN)........................................ 123
ICANN AND THE WHOIS DATABASE:
PROVIDING ACCESS TO PROTECT
CONSUMERS FROM PHISHING
----------
Tuesday, July 18, 2006
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:07 a.m., in
room 2128, Rayburn House Office Building, Hon. Spencer Bachus
[chairman of the subcommittee] presiding.
Present: Representatives Bachus, Kelly, Gillmore,
Hensarling, Pearce, Maloney, Moore of Kansas, Baca, and Clay.
Chairman Bachus. Good morning. The subcommittee will come
to order. I have, in the interest of time, submitted a written
statement for the record, but I'm going to shorten my opening
statement.
At today's hearing, we will focus on proposals before the
Internet Corporation for Assigned Names and Numbers, ICANN,
that would limit the public's access to domain name
registrants' contact information via the WHOIS database.
This would put many long-standing and valuable uses of this
data off limits and can make it difficult for law enforcement
and financial institutions to identify, block, shut down, and
in some cases, prosecute, the perpetrators of online financial
fraud.
It has always been ICANN's policy to collect contact
information from registrants of Internet domain names and make
it available to the public.
This policy helps to promote accountability online, since
consumers, financial regulators, and others seeking to
determine who or what entity is responsible for a particular
Web site or other online location can obtain this data through
a service called WHOIS.
Financial institutions, which are the focus of this
hearing, use WHOIS data to combat identity theft and account
fraud, particularly as it relates to phishing.
The financial services industry is currently battling
phishing scams at an unprecedented level. In May 2006, the
Anti-Phishing Working Group, which is comprised of financial
institutions, ISP's, and law enforcement, reported merely
12,000 phishing sites, which on average remained online for 5
days. These sites hijacked the brands of 137 companies in an
attempt to fraudulently gain access to sensitive consumer
information.
Notwithstanding the critically essential and legitimate
uses of the WHOIS database, ICANN is actively considering a
policy change to restrict WHOIS data to those who resolve,
``technical issues.'' If this change is adopted, public access
to most of the data now in the WHOIS database would be denied,
perhaps including data as fundamental as the name of the domain
name registrant.
I am concerned such proposals limiting the use of the
information for resolving technical issues will make it
difficult for financial institutions to respond effectively to
identity theft and phishing attempts.
Timely response to these attacks and identity theft is
critical to protect financial institutions as well as innocent
customers who are most often unaware of their victimization.
In many cases, the only tool financial institutions have
for identifying registrants or purported registrants of domain
names in a timely manner is via the WHOIS contact information.
Such uses of WHOIS data would become slower, more difficult and
expensive, if not impossible, were ICANN to adopt the policy
now being proposed.
I am hopeful that today's hearing will enlighten and inform
the committee as we address what could be a serious setback for
attempts to combat identity theft and fraudulent financial
transactions.
Let me just say the bottom line is that continued full
access to WHOIS data, I believe, is an important tool in the
fight against fraudulent activity against consumers online.
Mr. Moore, I'll recognize you for an opening statement.
Mr. Moore of Kansas. Thank you, Mr. Chairman, for convening
this hearing. I do not have an opening statement. I look
forward to the statements of the witnesses. Thank you.
Chairman Bachus. Let me just say that I want to take this
opportunity to thank you for your participation on the
committee. You are a valuable member and discharge your duties
in a very professional way. I very much value your advice and
input.
Mr. Hensarling?
Mr. Hensarling. [Off microphone]
Chairman Bachus. Thank you, Mr. Hensarling. I could very
well say the same thing about you. I appreciate your
participation in the hearing.
Our first panel is made up of Mr. John Kneuer, Acting
Assistant Secretary of Commerce for Communications and
Information, and Administrator of National Telecommunications
and Information Administration, U.S. Department of Commerce,
and Ms. Eileen Harrington, Deputy Director, Bureau of Consumer
Protection, Federal Trade Commission.
I have reviewed both of your resumes, and they were both
very impressive. We welcome both of you to the hearing.
Mr. Kneuer, we will start with your testimony.
STATEMENT OF JOHN M.R. KNEUER, ACTING ASSISTANT SECRETARY OF
COMMERCE FOR COMMUNICATIONS AND INFORMATION AND ADMINISTRATOR
OF NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION,
U.S. DEPARTMENT OF COMMERCE
Mr. Kneuer. Thank you, Chairman Bachus, and members of the
committee. I am pleased to have this opportunity to address
recent developments related to ICANN and the WHOIS databases,
and the role of the Department of Commerce in this critical
area.
The Department strongly supports continued access to an
accurate, searchable, and publicly available WHOIS database.
This data is critical to meeting a variety of public policy
objectives, including law enforcement and consumer protection.
We have been proactively advocating this position at the
meetings of ICANN and elsewhere.
Under the Memorandum of Understanding (MOU) between the
Department and ICANN, ICANN has agreed to continue to assess
the operation of the WHOIS databases and to implement measures
to ensure secured improved accuracy of WHOIS data.
In accordance with those specific provisions, ICANN has
published three annual reports that provide information on
community experiences with the WHOIS database's problems
reporting system.
While ICANN has full oversight of the WHOIS databases,
there has been some concern about ICANN's generic name
supporting organization, the GNSO, and the policy development
process it has initiated, which among other things seeks to re-
define the purpose of WHOIS data.
In April 2006, the GNSO Council voted in favor of a new
definition of the purpose of WHOIS data that is, ``To resolve
issues related to the configuration of the records associated
with the domain name within a DNS name server.''
This definition is considered by many, including the U.S.
Government, as a narrow technical definition.
We have been working within the ICANN process to address
this concern.
It is important to understand that this definition reflects
only the views of the GNSO Council, and it does not currently
reflect a change in ICANN policies or procedures. Indeed,
before any change is contemplated, it must be submitted to the
ICANN Board for adoption, and before the Board takes any
action, other ICANN constituencies, including governments
through the Government Advisory Committee, will have an
opportunity to express their views into the process.
Just last month in Marrakech, Morocco, at the ICANN Board
meeting, the U.S. Government submitted a formal statement into
the Government Advisory Committee expressing our concerns. I
have included that statement for the committee's record.
Our concern is as it is now a technical definition, it
would hinder continued access to that database for a range of
legitimate, critical Government uses, including law
enforcement, protection of intellectual property rights, and
consumer protection.
I think it is important to note that this statement that we
submitted reflects not just the views of the Commerce
Department but the views of the Justice Department, the views
of the State Department, Homeland Security, the Federal Trade
Commission, the FBI, the IRS, and the Patent and Trademark
Office.
In developing this position with the U.S. Government, we
have also undertaken considerable outreach to other
constituencies, including the financial services sector.
We facilitated a meeting between U.S. agencies and the
companies associated with the Financial Services Roundtable, to
discuss their concerns, and we are continuing to work with
these and other interested parties to make sure their views are
reflected in the ICANN decision making process before any
formal changes of policy are considered.
We have also been working closely with other national
governments to develop more formal public policy positions, so
those views on the purpose and use of WHOIS data can also be
reflected.
Finally, I would also note that the ICANN Board passed a
resolution in June that acknowledges the open dialogue between
the Government Advisory Committee and the GNSO Council,
regarding the issues covered by the WHOIS Taskforce, as well as
an opportunity for public comment. We think this is a strong
development, and will certainly be a continued opportunity, not
just for governments but other interested parties to have their
views expressed before ICANN makes any decision on a formal
change to its policies regarding WHOIS.
Again, I thank you for inviting me. I look forward to any
questions you may have.
[The prepared statement of Mr. Kneuer can be found on page
97 of the appendix.]
Chairman Bachus. Thank you.
Director Harrington?
STATEMENT OF EILEEN HARRINGTON, DEPUTY DIRECTOR, BUREAU OF
CONSUMER PROTECTION, FEDERAL TRADE COMMISSION
Ms. Harrington. Thank you, Mr. Chairman. Thank you very
much. I am pleased to present the Federal Trade Commission's
testimony this morning, which has been entered into the record.
My statement and any questions that I provide reflect my views
and not necessarily those of the full Commission.
As my colleague mentioned, ICANN recently met in Morocco to
continue its consideration of a proposal to narrow the purpose
of WHOIS databases, and thus limit access to the useful and
important information they contain.
Because this is an issue of great importance to law
enforcers and consumers, Commissioner Jonathan Leibowitz of the
FTC, along with officials from several of our consumer
protection and law enforcement allies from other nations,
attended the ICANN meeting to speak about the importance of
maintaining access to WHOIS databases.
In the wake of the Morocco meeting, we understand that
ICANN is re-evaluating its earlier inclination to adopt a
narrower purpose.
The debate over access to WHOIS databases raises at least
four important considerations. The ability of law enforcers to
access information about fraudsters who use Internet Web sites,
the ability of consumers to know who they are dealing with when
they engage in e-commerce, the needs of some private sector
entities, including financial institutions, to access WHOIS
data to serve important public purposes, and individual privacy
interests.
In the brief time I have this morning, I want to elaborate
on the law enforcement, consumer, and business entity interests
in retaining WHOIS access. I know the important privacy
concerns will be addressed by members of the second panel this
morning.
The FTC makes frequent use of its authority to stop unfair
and deceptive acts or practices to challenge a variety of
Internet-related threats, including phishing, spam, and
spyware.
In these cases, our investigators face the sometimes
daunting task of determining the identity of scoundrels who
hide behind the electronic shield of the Internet. Sometimes,
we unmask the wrongdoers by learning their identities and
whereabouts from WHOIS databases, but even when scamsters
provide false registration information, access to WHOIS
databases provides invaluable leads.
Scammers often provide the same or similar phony
information for multiple Web sites involving several different
schemes, and by having access even to that inaccurate
information, we are able to develop evidence demonstrating
critical linkages that ultimately can help lead us to the bad
guys.
Consumers also need to know who they are doing business
with, whether online or in the bricks and mortar world, and
continued public access to WHOIS data provides the information
that can be essential to consumer confidence in the online
marketplace.
If consumers do not receive the goods or services that they
have purchased, they need to know how to reach the vendor that
they have done business with. We really cannot afford to take
away the consumer confidence in the marketplace that access to
that information provides.
We know that phishing and identity theft are of particular
concern to the committee, and they are to the FTC as well.
Financial institutions are watchdogs, private enforcers,
and sometimes victims of phishing schemes. They receive early
warning from their customers who have received bogus e-mails
from phishers, and they can warn their customers. They can
sometimes bring private actions to halt the misappropriation of
their good names and reputations, and when their customers fall
victims to phishers, their reputations suffer.
They, too, are among the private sector entities who need
continued access to WHOIS registration information for
commercial Web sites. Without it, the risks of identity theft
add harm to consumers and can only grow.
WHOIS databases are one source of valuable information for
the FTC's work to protect U.S. consumers. There are other
critically important tools that the FTC needs, however, to
fight online fraud in the global marketplace.
The FTC has previously recommended that Congress consider
enacting the U.S. Safe Web Act, which passed the Senate in
March of 2006. This act would make it easier for the FTC to
gather information about Internet fraud from sources other than
WHOIS databases, including our foreign law enforcement
counterparts and financial institutions in the United States,
and critically, we would be able to obtain information from
financial institutions without tipping off the targets of our
investigation to the existence of the ongoing law enforcement
inquiry.
We thank you for your attention to the FTC's interests this
morning and look forward to answering any questions that you
may have.
[The prepared statement of Ms. Harrington can be found on
page 82 of the appendix.]
Chairman Bachus. Thank you. Mr. Hensarling, do you have any
questions at this time? If you would like a few minutes, I
could go ahead.
Mr. Hensarling. I am happy to go now, Mr. Chairman.
Chairman Bachus. Okay. Thank you.
Mr. Hensarling. As often is the issue in the financial
concerns of this committee, there is always a balance between
our privacy and our security. I think this issue is re-
presenting itself here today.
Mr. Kneuer, if the more narrow definition of the purpose of
the WHOIS database was adopted, what precisely is going to
change for law enforcement? How does their job become more
difficult?
Mr. Kneuer. I think it immediately becomes much more
difficult, as Ms. Harrington was just mentioning, when there is
evidence of malfeasance on an Internet site, whether it is
financial fraud or child pornography or other forms of
obscenity, whether it be the abuse and violation of
intellectual property rights, the holders of those property
rights and law enforcement can go to the site and find out the
information.
If the information is unavailable, the Internet potentially
becomes an immediate safe harbor for a host of illegal activity
that can be accomplished over the Internet without any recourse
for law enforcement to really be able to track down the bad
actors in an efficient way.
Mr. Hensarling. Ms. Harrington, essentially the same
question for you. How would the FTC be limited by this more
narrow definition?
Ms. Harrington. I agree with what my colleague just said.
Specifically, there are hundreds of consumer protection and law
enforcement investigations going on at any time at the FTC,
investigations that often are spurred directly by complaints
from citizens and consumers about harm that they have
experienced.
The immediate impact is to make it far more difficult for
us to find the wrongdoers, and if we cannot find them, we
cannot stop them. Most importantly, we cannot get money back
for consumers who have been defrauded.
Mr. Hensarling. If I heard your testimony correctly, you
said something that struck me as a little bit curious, and I
think I heard you say that even inaccurate information gained
from the database can be useful by law enforcement.
If I heard you correctly, could you elaborate on that?
Ms. Harrington. Let me give you a good example. In a case
that we brought several years ago in 2002 against a fellow
named John Zucarinni; he had registered approximately 6,000
domain names and most of those mimicked legitimate and popular
Web sites.
When consumers mistakenly entered onto his turf, their
computers were hijacked, their browsers were hijacked, and they
really lost control of their computers. It was a horrible
situation that he caused.
In that case, we used WHOIS to identify different domain
names that were registered to him under different alias, and
that inquiry enabled us to assess the extent--what turned out
to be the very wide extent--of his bad acts. That was critical
evidence in enabling us to go into Federal Court, get an order
to immediately shut down all of his Web sites, and ultimately
get a judgment for $1.8 million to redress consumers, and then
we worked closely with criminal authorities who convicted him
of criminal acts, and he served 30 months in prison.
That evidence from WHOIS, even though it was inaccurate,
was critical. It told us that we weren't dealing with some
small potato operator, but this was a very large scam, and that
evidence, in turn, was furnished to criminal authorities when
we were finished with our civil case, and that helped them get
a significant sentence against him.
Mr. Hensarling. You also mentioned in your testimony the
U.S. Safe Web Act.
Ms. Harrington. Yes.
Mr. Hensarling. On the other side of the Capitol, one of
many pieces of legislation written by the other body that I
have not gotten around to reading yet.
Could you elaborate somewhat on, I suppose, the tools that
you feel the FTC is missing today to effectively combat this
type of fraud, and what are the tools that are provided to you
under this act that you desire?
Ms. Harrington. There are several basic abilities that it
would give us to obtain and share information with our foreign
counterparts. Right now, we cannot.
In addition, a really important provision in U.S. Safe Web
would enable us to go to court to get an order to shield--to
protect information about a subpoena that we send to a
financial institution so that the financial institution would
not be required under other privacy acts to notify
accountholders that they had received a subpoena from the
Federal Trade Commission for information.
Right now, very important investigations, the existence of
them, can be revealed and sometimes is revealed by financial
institutions to the targets. The effect that has is that when
we seek in an ex parte proceeding an asset freeze on the assets
of companies that are defrauding consumers, the assets are gone
by the time we get there.
It is really important.
Mr. Hensarling. I see my time has expired. Thank you.
Chairman Bachus. I thank the gentleman. Mr. Moore?
Mr. Moore of Kansas. Mr. Chairman, I do not have any
questions. Thank you.
Chairman Bachus. Mrs. Maloney?
Mrs. Maloney. I just want to say that 19 States, including
my home State of New York, have responded to identity theft by
enacting laws that allow individuals to restrict access to
their credit reports whenever they feel it is necessary to
prevent identity theft.
Would that not help break down or stop what you are saying
is the number one or the highest form, that identity theft
comes ahead of any other consumer fraud complaint, accounting
for somewhere between a third and a half of all complaints
filed with the FTC?
Would not this approach of just allowing file freeze by
consumers on their credit--if they want someone to see their
credit, then they can release it. It just seems that is the way
to crack down on identity theft, which is really an incredible
crime.
We have many cases come to my office. Sometimes they think
they even make up the numbers, but by the time they find out
about it, their credit is ruined really for the rest of their
life. They cannot really get it replaced. It is just a very
difficult thing.
I guess my question to you is what about file freeze? Would
not file freeze work? It stops the thieves from getting the new
credit?
Ms. Harrington. We are right with you on the seriousness of
the identity theft problem. Consumers now can put fraud alerts
on their credit reports, which are a pretty effective hurdle to
the issuance of new accounts in their names, and also give
consumers pretty much real time information about who is making
inquiries, and what is happening with their credit record.
The freeze issue is an interesting one. I think we can
argue certainly the pros, as you have very eloquently. One of
the concerns with freezes, and when consumers ask us whether
they ought to put a freeze on their account, we need to tell
them also that what this means is they are not going to be able
to access credit in the ways they often want to.
I think it is a balancing act, really.
Mrs. Maloney. Any other comments?
Mr. Kneuer. Just to stress the importance of WHOIS data for
law enforcement; it goes beyond just consumer protection. It is
critical for law enforcement in a host of areas.
The FBI feels strongly enough about this that they send
representatives to ICANN meetings around the world to ensure
that WHOIS data is protected.
Mrs. Maloney. In late June, in Morocco, ICANN specifically
stated that they would continue to provide access to law
enforcement in adopting the new rules. Are you aware of this
position?
Mr. Kneuer. I think that reflects the view of the Board of
ICANN that the views expressed by the GNSO Council were the
views of one ICANN constituency, and that law enforcement
remains a very important constituency as well, and that before
they make any decision on a change in WHOIS policy, the views
of law enforcement will be considered.
Mrs. Maloney. At this forum, they said they would provide
access to law enforcement. If law enforcement has access, does
that affect your views? It seems that solves it if law
enforcement has access.
Mr. Kneuer. I would have to see the full text of the
statement, but I believe that is a reflection of the fact that
the current WHOIS policy and the current WHOIS procedures of
ICANN have not changed.
Law enforcement gets access through the publicly available
searchable accurate WHOIS database. They do not intend to make
changes that would adversely affect the ability of law
enforcement to continue to have access.
Mrs. Maloney. I think we all agree that law enforcement
should have access. I think we can also agree that the
widespread availability of personal information is clearly
contributing to the problem of identity theft, which the FTC
has reported as the top consumer complaint.
Have you undertaken any studies to determine whether
unrestricted access to WHOIS data might not actually contribute
to the problem of identity theft and online fraud?
Has the FTC looked at whether spammers are obtaining e-mail
addresses and other contact information from the WHOIS
database?
Ms. Harrington. We are very concerned about protecting the
privacy of individuals' personal information. That is why we
have called for public access to registration information about
commercial databases, not non-commercial databases. We strongly
support continued public access to commercial information.
We did a study. In Internet time, it is probably ancient at
this point. It was done a couple of years ago. At that time, it
did not appear to us that there was significant use being made
by spammers of WHOIS data.
More recently, I have read other more current work that has
been done that suggests that may be becoming a problem, and it
is something that I think we will be looking at again to update
our older work.
Mrs. Maloney. Have you contacted your colleagues overseas
that are operating under privacy rules? Have you spoken with
your colleagues in other countries about how the FTC could
investigate fraud and still safeguard privacy?
Ms. Harrington. Yes. People from the FTC are in very
regular contact with our colleagues in other countries. As the
private interests and laws pertain to WHOIS, it is our
understanding that, for example, the position that we are
taking on continued access to WHOIS registration information
for commercial Web sites for the public is not inconsistent
with those privacy laws.
Chairman Bachus. Thank you. Mr. Pearce?
Mr. Pearce. Thank you, Mr. Chairman. I suspect I would ask
either one of you, how big a problem is the identity theft
coming from the other side? I tend to fall on the side that if
someone is seeking access to me to do business, that I ought to
be able to have full access to information to them.
What drives the concern on the other side? Is it based on
fact or is it just the concern that we are going to give away
information about Web site operators?
I will let both of you take a stab at that.
Chairman Bachus. Could I ask the gentleman to yield?
Mr. Pearce. Sure.
Chairman Bachus. I will ask unanimous consent to give him
an extra minute.
I think what Mr. Pearce has just said, I would like to
associate myself with his remarks. What he said is if someone
has assumed an identity and is contacting me over the Internet
and telling me they are my financial institution or American
Express or the Red Cross.
We have a letter from the Red Cross that after Katrina,
millions of people were contacted, and after the tsunami,
millions of people were contacted, and told it was the Red
Cross, and were given a Web site address to send contributions.
As far as privacy, I think the privacy arguments are where
Mr. Pearce says, with the consumer, who the identity of the
person he is dealing with, he is being told it is his bank.
I will say this. Even the FTC, which says we are going to
give law enforcement these rights, but we are not going to give
them to individuals, it is the individuals who are being
contacted and ripped off.
When you deny the individuals the right to know who they
are dealing with and who is coming into their computer and
communicating with them and corresponding with them, I think
you take away a right that we have had on the Internet since
this database started.
They are now saying they want to make changes. It is a
radical change that I do not think the American people realize.
A bank robber could claim that taking his fingerprints is
an invasion of privacy. I would equate these people who
masquerade as my bank or as the Red Cross are criminals.
Protecting their identity is sort of like protecting a bank
robber's identity.
Ms. Harrington. Mr. Chairman, if I could just clarify. The
Federal Trade Commission supports full access by law
enforcement to all WHOIS database registration, including--
Mr. Pearce. That is not my question. My question is for me
as a consumer.
Chairman Bachus. Right. I think in his question, that is
maybe what you missed. He is saying as far as privacy and as
far as somebody communicating with me, if they are coming on
and telling me they are somebody and I am opening up my
database and I am giving them information, not only law
enforcement, but this is an important tool that consumers have
had.
I hope that the FTC, in trying to compromise with WHOIS and
ICANN, does not give away important rights of consumers.
What Mr. Pearce is saying, when he deals with somebody over
the Internet, they are asking him for sensitive information,
and representing themselves as his bank or something.
The fact that the FBI or the local police have a right to
that information--
Ms. Harrington. We agree. All of those examples that you
have given would fall in the category of commercial Web sites.
If someone is posing as your bank, someone is trying to collect
money from you, that is information that we believe that you as
a consumer, registration information, should have access to.
We draw a distinction between commercial and non-commercial
Web sites. On the non-commercial side, some have suggested a
tiered access system. There is a lot of debate going on at
ICANN about that.
The concern is that if you as an individual have set up
your own personal Web site for some non-commercial purpose, if
you are a dissident living in some totalitarian regime and have
put information on the Web site that could subject you to very
serious consequences, should your personal information be
widely searchable in a WHOIS database by anyone or not?
That is where the personal--
Mr. Pearce. That was my question. What is the whole
question of personal privacy? If my granddaughter is on a Web
site that begins to explore pieces of conversation with her
that I would rather not have occur, that is not a commercial
transaction, and yet I think, for myself, I would sit here in
full transparency, there ought to be a click on every
communication that allows you to go straight to and find out
who it is that really is operating.
I am wondering what drives the debate? You are talking, Ms.
Harrington, about the debate being driven by privacy concerns.
You are out here in a full operation requesting information
from somebody, commercial or non-commercial, and I just believe
that transparency is the better rule. Let's open it all up.
Let's shine the light in there. I do not think there ought to
be protections of any kind if you are out on the Web trying to
get access to my house, my business, or my granddaughter.
I do not understand that. Could you help me understand the
legal concerns of privacy?
Mr. Kneuer. If I might, sir. The U.S. Government's
submission to the Government Advisory Committee of ICANN makes
no distinction between commercial and non-commercial addresses.
It is the view of the U.S. Government, like I said, the
views of the State Department, the Justice Department, Homeland
Security, the Commerce Department, the Patent and Trademark
Office, the IRS, and the FBI, that there should be no
distinction between the two of these, and for precisely the
reasons you are talking about.
I think Ms. Harrington's views from a commercial
standpoint, the equities that the FTC is concerned with, is
consumer protection in commercial situations. There are other
significant Government equities that have broader concerns, the
ones you mentioned.
If a Web site is up that is not necessarily doing
commercial transactions, it can be violating laws in a variety
of different ways. It could be abusing intellectual property
rights. There could be child pornography or other obscenity,
where there is recourse to the laws.
We do not make that distinction. We believe that the WHOIS
database ought to be publicly available, accurate and
searchable for all domain registrations.
Mr. Pearce. Ms. Harrington, do you have any other ideas or
comments on that? What would you say to a link on every
communication on a Web site that takes you right to that?
Ms. Harrington. To the registration?
Mr. Pearce. To the Web site, let you know who it is that
has set this particular site up.
My wife serves on a bank board. Just recently people were
intercepting communications intended for the bank, representing
themselves as the bank. Actually, transactions were occurring.
If that e-mail had access to whoever is originating, the
consumer could click on it, take a look and say that is not my
bank, this is somebody in Indonesia or somewhere.
Ms. Harrington. I have not thought about that particular
mechanism, Congressman. You raise indirectly another really
interesting challenge in this whole area, and that is accuracy,
which is something that the U.S. Government, including the
Federal Trade Commission, has consistently raised as a concern
in connection with WHOIS databases.
We want to make sure that there is access to the
registration information. We also want to make sure domain
registrars do everything they can to ensure the accuracy of
that information.
Our experience is oftentimes people who are up to no good
include in their no-good activity the providing of false
information.
Mr. Pearce. Thank you, Mr. Chairman.
Chairman Bachus. Thank you. I appreciate your remarks.
Congresswoman Kelly has been very active on this issue. I
have been going back and forth. Mr. Moore?
Ms. Kelly. Are you in the first or second round of
questions?
Chairman Bachus. Actually, he did not ask questions. Go
ahead, Ms. Kelly. You have been a leader on this issue.
Ms. Kelly. It certainly is the floor for Mr. Moore.
Chairman Bachus. He is fine.
Ms. Kelly. Thank you. I think the public's concern on a lot
of this is the fact that on Web sites, when you log on to
certain Web sites, there are things there that are down right
errors. There is misrepresentation.
Apparently, you are supposed to look at who has what Web
site, if I understand. Is that correct?
Once you do that informational piece to find out who has
established a Web site, do you have any further duty to make
sure that what is on that Web site is accurate?
Mr. Kneuer. On the WHOIS database, to test the accuracy of
that?
Ms. Kelly. Right.
Mr. Kneuer. The registrars are supposed to ensure the
accuracy of it. Given the millions and millions of Web sites, I
think it is one of the reasons it is important that it not just
be law enforcement but consumers who have access, this really
is a collaborative effort, whether it be law enforcement or a
consumer who does the initial inquiry, if they see information
that appears to be inaccurate or based on that information,
they do a follow up and find it leads to a dead end, they can
then report that problem, and the registrars can correct the
problem or eliminate the Web page.
Ms. Kelly. How would a broad consumer use change that?
Mr. Kneuer. I think broad consumer use is what helps that
process along. I think eliminating that broad consumer use
makes it much more difficult for the registrars and others to
maintain the accuracy of the database.
There are limited resources for the ability to spot check
and go through millions and millions of sites.
Having the opportunity for consumers and for others to
exercise their rights to get into the WHOIS database to follow
up on that information is much more likely to uncover
inaccuracies and uncover illegal or otherwise inappropriate
activity.
Ms. Kelly. Getting into that database, if I were a
consumer, could I change information on the database at my
will?
Mr. Kneuer. No. Only the registrant can change the
information by submitting it to the registrars, and the
registrars maintain the database.
If you go to one of the registrars and clock on WHOIS and
you put in a field, I want to know who owns what site, that
pulls up--you do not then have rights to edit that field. It is
a read-only file.
Ms. Kelly. Do you think that there is an adequate--that we
have maximum data and you have so many different Web sites,
what do you think is the best thing that you can do to make
sure you get the maximum data security and consumer protection
without harming the people who are likely to be using those
sites, especially small businesses? That is one of my chief
worries here. They do use the Web sites.
Mr. Kneuer. I think transparency and consumer education.
When I talk about consumers, I am not just talking about
individual consumers, but businesses as consumers. As long as
there is transparency in the process, more people are aware
they have this tool at their disposal.
If you are a small business and you are engaging in
business online, you are trying to use the power of the
Internet to leverage your small business nationally or even
globally and in doing that, you are looking to find business
partners, the more ability for those small businesses to access
the WHOIS data to find out more about the potential partners
that they may be looking at, too, I think the better for it.
To the extent that the WHOIS data, as I said, is itself
transparent, when you register a domain name, it is very clear
that part of the deal is you are going to publish this
information to the world. If you want to publish your Web site
to the world, you are going to publish this information to the
world.
It is a deal that you make, and it is transparent. This
information is not being publicized without the registrant's
understanding that it is being publicized.
Ms. Kelly. I'm going back to what I asked before. If the
registrar registers the site, does the registrar ever go back
and check to make sure that site has not been altered and
changed in some way?
The reason I am asking this is I logged onto a Web site
which then automatically put me into a second Web site. This
was a Web site that is used by private detectives and people
like that. People can also get on the site, but when you pay
through the second site to get more information, but logging
onto the registered site took me immediately to a second site.
That second site, when I was happy to pay, because I wanted to
see what was on it, had misinformation.
That is what concerns me. The transparency is great.
Unchecked transparency can possibly lead to abuse. I am
wondering if there is any kind of a screen there that can stop
that.
Mr. Kneuer. As far as the ability of a registrant to submit
their WHOIS data and then to change it after the fact, I would
have to get back to you. I believe those updates are made by
the registrars, that you have to submit that to the registrar
and have them make the change.
I will get back to you for the record on whether or not I
am correct in my understanding of the way that operates.
As far as successive sites, when you get into a site that
sort of scrolls down to other sites, you should still have the
actual address of the site, even when you default into and you
are redirected, the address should be there, should be visible
and transparent to you, and then you can do a WHOIS search on
that again.
I certainly concede that is sort of the kind of thing that
presents a challenge, not just to consumers, but even
sophisticated users. It is not real clear sometimes unless you
are really ever vigilant.
I concede that is a problem.
Ms. Kelly. Thank you.
Chairman Bachus. Thank you. Let me first say, Mr. Kneuer, I
would like to associate myself with your remarks in the
dialogue. I think both of you recognized that there is a real
key role for the consumers here.
It is a role they are playing today. The status quo today
is transparency. What this proposal would do is take rights
away from consumers, everyone that uses the Internet.
There are many legitimate rights that consumers have now,
essential rights, to protect themselves, that if this proposal
in my mind goes through, then yes, the commercial firms, your
bank, they may have rights, and law enforcement may have
rights, but the first line of defense, and Mr. Kneuer, you said
this, the first line of defense ought to be the consumer.
We say the consumers are responsible for protecting their
own information. If we deny them a right that they have
presently, this right to know the domain name and the identity,
then we are denying them the ability to protect themselves.
There are other things in your testimony that you talked
about, Ms. Harrington. I was trying to find it here. You talk
about how consumers now have the ability to resolve problems
with online merchants directly through the use of WHOIS
databases.
They find out who it is and they resolve their problem.
Government does not have to deal with it.
You are talking about consumers and legitimate businesses,
that if this changes, they are going to come to you and say we
do not know who these people are, we have a complaint, you need
to find out who they are. You are going to throw a whole lot
more work on the Government and individuals, which they are
doing now.
You would throw a whole lot more work--I would just like
you all to respond to that. I think you put the burden on the
Government and law enforcement, the banks and the financial
institutions, that consumers could legitimately say if this
goes through, I no longer have the ability to resolve this
myself.
Ms. Harrington. Mr. Chairman, I think that is right,
although I would hasten to add that we are here to serve
consumers. We welcome their complaints. We hope they do not
have problems, but when they do, we are in the business of
serving them.
I think an equal problem here is that consumers will lose
confidence in this marketplace if they do not know who they are
dealing with. I think that would have very serious
implications.
Chairman Bachus. In fact, we had talked about that on many
occasions. Our policy, if they lose--when we talk about
identity theft, we said it is very important for us and the FTC
and law enforcement to act against identity theft because it
diminishes the use of the Internet. It diminishes people's
confidence in the Internet.
To me, the more I look at this, the more I see it as a
serious threat to confidence on the Internet, to know who you
are dealing with.
Mr. Kneuer, what is the relationship between the Department
of Commerce and ICANN? It is my understanding within the ICANN
organization, there is a weighted voting by different
interested parties.
Could you describe how that works and how it impacts the
process? Does that weighted voting bias the process toward
certain views?
Mr. Kneuer. The relationship between the Department and
ICANN is memorialized in this Memorandum of Understanding.
ICANN is the private sector entity that was established to
take over the management of the domain name system. It used to
be a U.S. Government function, and a long history of the
Internet going back to DARPA and its development as an U.S.
Government network.
The MOU is intended as a transitional document for us to
provide some oversight over ICANN as they get themselves stood
up and become a sustainable secure organization.
As far as the weighted voting goes, that is not in the
decisionmaking of ICANN itself. These are not final decisions
of the Board of ICANN. These are in some of the subgroups of
ICANN, the GNSO being one of them.
When the GNSO was established, they determined that
weighted voting to reflect different constituencies in that
subset would be appropriate, so there is weighted voting in
that Council, in that organization.
That does not carry over into the final decisionmaking of
ICANN. The Board of ICANN is elected and representative, and
there are not weighted votes in final decisions of ICANN. It is
in this subconstituency, this GNSO Council.
Chairman Bachus. You mentioned GNSO. That states that the,
``Current definition of WHOIS data is related to the service
that provides public access to some or all of the data that is
collected, and is not a definition of the purpose of the data
itself.''
That seems to me like a definition that believes the WHOIS
database service, that their only purpose is maintaining the
Web site, which there is another purpose, legitimate purpose;
is there not?
Mr. Kneuer. Absolutely. ICANN by its definition, by its by-
laws, is supposed to be a consensus driven organization that
takes lots of different views. That is one view of the GNSO.
It is clear the governments feel that there are different
uses and different purposes for the WHOIS data. Consumers may
feel very differently.
The reason ICANN is organized the way it is, is so there is
the ability to get the views of all of these different
constituencies and all these different equities are represented
and weighed going into it.
While one subgroup may have one view, that is not
reflective of the overall Internet community as a whole, and it
certainly does not reflect the U.S. Government's position or
the views of many other governments, as have been reflected in
the Government Advisory Committee meetings.
I think you will see much more of that, of the view that
the purpose of the data should not be decided by any one group.
The important thing is that the data is available, and you can
make what use of it that you will.
Chairman Bachus. I agree. I think ICANN actually ought to
consider ways to protect the consumer and ways to protect an
individual's privacy.
I will just say this another way. It is almost as if there
are all these essential legitimate uses that consumers are
taking of the WHOIS data, and it is all of a sudden that ICANN
wants to sort of put the genie back in the bottle and stop a
lot of these, what we take for granted every day, as our
legitimate uses of that data by consumers.
Mr. Kneuer. I think that gets back to not having a narrowed
definition of the purpose. For some varieties of malfeasance,
whether it is consumer protections, the fraud, we want to make
it stop and making it stop may be--you want to recover assets
to the extent you can, but making it stop is the important
thing. That is not happening anymore.
Other areas of law enforcement have much different
concerns, whether it is cyber security and cyber terrorism, or
child pornography. You do not want to make it stop. You want to
catch those guys.
The more difficult it is for bad actors to hide behind
inaccurate WHOIS data, the harder it is for them to continue to
commit crimes on the Internet, the easier it is for law
enforcement to pursue them.
We need to reflect the broad interests and equities of the
community as a whole and not be too focused on one constituency
or another constituency.
Chairman Bachus. I agree. In fact, it is almost, ``the
public be damned.'' This is a better way, a more efficient way,
to manage the system. If anything, the people who benefit are
the people who are committing the crimes.
Mr. Kneuer. Just to be fair as well to ICANN, the proposal
from the GNSO has been submitted, but as the ICANN Board stated
in Marrakech, and I would refer back to my testimony for the
exact quoted language, they do not intend to make any decision
to change the current status quo policy without having the
opportunity of governments to give their counter view to the
GNSO's narrow definition, without having the opportunity for
the public to make their comments.
The status quo today still exists. There has been no change
in the policies or the procedures, and there will not be any
changes until a broad cross section of interested stakeholders
have an opportunity to make their views known.
Chairman Bachus. I have talked to Secretary Gutierrez about
this issue. A lot of people think it is just an arcane issue
dealing with a technical issue.
In fact, it has very serious implications and consequences
for everyone who uses the Internet. It would change the status
quo.
Although my words may seem sort of harsh, if consumers are
denied some of these rights, the consequences on them are going
to be harsher still.
I will close by just asking is the Commerce Department, and
is the FTC, committed to watching out for the best interests of
consumers, and are they committed to preserving consumers'
present rights to the WHOIS data?
Mr. Kneuer. Yes.
Chairman Bachus. Ms. Harrington?
Ms. Harrington. Absolutely.
Chairman Bachus. Thank you. I think that is very important.
I very much appreciate that.
Does anyone want to ask any other questions of this panel?
Ms. Kelly. Mr. Chairman, I just would ask the Commerce
Department to work closely with ICANN, to try to make sure the
information is absolutely as accurate as it possibly can be.
Chairman Bachus. Thank you.
Mr. Kneuer. We will certainly do that.
Chairman Bachus. That is a good point, Ms. Kelly.
Thank you very much. The first panel is discharged.
Ms. Harrington. Thank you, Mr. Chairman.
Chairman Bachus. Good morning to our second panel. Our
second panel is made up of Ms. Catherine Allen, CEO of BITS/
Financial Services Roundtable. We welcome you.
Also, Mr. Mark Bohannon, general counsel and senior vice
president, Software and Information Industry Association, SIIA,
and Mr. Marc Rotenberg, executive director, Electronic Privacy
Information Center, EPIC.
Ms. Allen, we will start with your testimony.
STATEMENT OF CATHERINE ALLEN, CEO, BITS/FINANCIAL SERVICES
ROUNDTABLE
Ms. Allen. Thank you very much. Good afternoon, Chairman
Bachus, and members of the subcommittee.
My name is Catherine Allen, and I am the chief executive
officer of BITS, part of the Financial Services Roundtable.
I also want to acknowledge Congressman Pearce from my home
State of New Mexico, where there are a few of us around.
I am pleased to appear before you today on behalf of BITS,
the Financial Services Roundtable, and our member financial
institutions, with respect to the topic of a proposed change to
the WHOIS database within the ICANN.
Thank you, Chairman Bachus, for meeting with executives
from Am South representing BITS earlier this year on this issue
and taking such an avid interest in it.
BITS is a non-profit industry consortium of 100 of the
largest financial institutions in the United States. We are the
non-lobbying division of the Financial Services Roundtable, and
work as a strategic brain trust to provide intellectual capital
and address emerging issues around operations and technology
for the industry.
Working groups share successful strategies and best
practices for managing risks, reducing fraud, managing IT
service provider relationships, and managing risks in the
changing payments' environment, and work with the heads of
security, heads of fraud, and heads of payment in these
organizations.
Financial institutions have always been a favorite target
for perpetrators of fraud. Institutions have long answered this
challenge with reliable business controls, advanced technology,
information sharing, and cooperative efforts with the
Government and law enforcement agencies.
With the growth of the Internet and its fundamental role as
the foundation of electronic commerce, including financial
services, the role of ICANN and its significance has grown
exponentially.
It is therefore with great concern that our member
institutions have become aware of the proposed change in the
type of information to be collected and maintained in the ICANN
WHOIS database.
The WHOIS database, just as a background, is very important
in that it has three types of information, and all three of
these types of information are used when we work with law
enforcement to track down fraud.
The registrant contract, which includes those registered
for domain names, IP addresses, who owns the name, who paid for
the name, and the owner's name and address. Secondly, the
administrative contact who you call for billing information.
Again, their name, phone number, address, and the technical
contact who may or may not be associated with that Web site,
who specifies if there is a problem with the Web site and does
the technical attributes.
As part of their efforts to combat fraud, financial
institutions are constantly watching for incidences of domain
name fraud. Sometimes we call it cyber squatting or typo
squatting. These are people that will create and register
domain names that are very similar to financial institutions,
but they might have one slight change to them. In some cases, a
changed vowel or a changed name. In any sense, they look very
familiar to the consumer and they think they are talking to an
actual legitimate financial services company.
In one case, one of our financial institutions found a Web
site with a name that was identical to their own, except for
the one vowel change. Going to the home page, they saw that it
was not only an example of theft of intellectual property, but
of course, they were trying to commit fraud against consumers.
Using the registrant information from WHOIS, the financial
institution in this instance was able to contact the Web site
owner and send a cease and desist letter to have the site
removed.
One of the other key uses for the WHOIS database is for
shutting down phishing sites. As part of investigating phishing
incidences, financial institutions sometimes discover that a
legitimate Web site has been taken over by phishers, without
the Web site owner's knowledge.
With cooperation of the WHOIS technical contact and the
registrant's contact, and the hosting site, they were able to
shut down a phishing site. Again, they needed at least two of
the three kinds of information.
In early 2006, a financial institution discovered it was
being phished from a site in Taiwan. Efforts to have the Web
site shut down using the technical contact information was
unsuccessful. In fact, it took the full WHOIS information
provided to the U.S. Secret Service and the Taiwanese police,
who made local contact with the Web site owner and the ISP and
got the phishing site shut down.
These are just a few examples of the reasons that financial
institutions and others who are combating fraud find the WHOIS
database so important as a tool for fighting fraud and
protecting the public.
All of the WHOIS information is currently freely available
to anyone with Internet access, and while it may be prudent in
some cases to restrict some access, we do believe it needs to
have what we call permissible access by all players--law
enforcement, businesses, or people who have legitimate reason
to try to track down for fraudulent reasons who owns this
database.
It is a matter of public confidence. We agree with the
discussion that happened with the previous panel, that the more
transparency there is, the better it is for all of us,
including consumer access to this information.
As you are aware, on January 18th, the ICANN WHOIS Task
Force report contained two opposing formulations for the
purpose of WHOIS. Under formulation one, which is severely
restrictive and just a technical issues' configuration, we
believe adoption of that would make it more difficult and time
consuming for financial institutions to identify and stop
domain based scams and identity theft and account fraud. It
will also hinder our ability to respond to identity theft and
phishing. Timely response to phishing attacks and identity
theft is critical to protect customers, financial institutions,
and innocent consumers.
In most instances, many unsuspecting consumers are
contacted by a financial institution to learn that they may
have been a victim of identity theft and they may not have
known it because a Web site had been set up in their name,
which turns out to be a fraudulent Web site.
Giving the consumers the opportunity to remedy the effects
of the identity theft sooner rather than later is critical, not
only to law enforcement, to the financial institution, but most
importantly, to the consumer.
Most innocent victims have been, and continue to be,
extremely helpful to financial institutions in taking down or
transferring these domain names to the financial institution
that is the target or potential target of a phishing attack.
Financial institutions need the WHOIS information to
address all of the forms of fraud noted above.
For these reasons, we have urged ICANN to adopt formulation
two. Formulation two would provide financial institutions, law
enforcement and others open access, continued open access, to
the information they need to respond to identity theft and
account fraud.
It is our understanding that during the ICANN meetings in
Marrakech, the decision to choose between formulations one and
two was postponed for additional deliberation.
On behalf of BITS and our financial industry, recognizing
that the ICANN Board has the ultimate decision, we encourage
Congress to strongly support the adoption of formulation two.
Thank you for the opportunity to testify before you, and I will
be happy to answer any questions.
[The prepared statement of Ms. Allen can be found on page
46 of the appendix.]
Chairman Bachus. Thank you, Ms. Allen.
Mr. Bohannon?
STATEMENT OF MARK BOHANNON, GENERAL COUNSEL AND SENIOR VICE
PRESIDENT, SOFTWARE AND INFORMATION INDUSTRY ASSOCIATION
Mr. Bohannon. Mr. Chairman, members of the committee, I
appreciate the opportunity to appear before you today and
testify on ICANN and the WHOIS database. I particularly want to
thank you, Mr. Chairman, for your opening statement, which was
very strong and very clear about the importance of this issue,
and we want to continue to work with you and the committee to
pursue the right policy here.
My organization has been engaged in the issue of WHOIS
policy for many years, primarily through our involvement in the
Coalition for Online Accountability, which includes most of the
major organizations and members of the copyright community.
We see firsthand how the WHOIS database is a key tool to
combat copyright and trademark infringement, cyber squatting,
fight phishing attacks, as well as combat the pernicious
effects of spyware and illegal downloads.
In my prepared remarks, I document how I believe all
Internet users, consumers, as well as leading groups such as
TRUSTe and the Center for Democracy and Technology, who are
committed to promoting privacy network security, depend on the
WHOIS database, and I would ask that it be submitted for the
record.
I really want to focus on two issues in my verbal comments.
One is I want to talk about why the proposed policy is
misguided, and secondly, why we have to ramp up and step up
efforts to make WHOIS reliable and accessible.
When SIIA and other members of the intellectual property
community heard about the move to restrict access in the
purposes of WHOIS data, we were obviously greatly concerned.
The formulation that was put forward, so-called formulation
one, it is important to understand that it represents only a
very, very small proportion of the current critical public
interest uses of WHOIS data.
In fact, virtually all the ways that WHOIS is now used to
protect intellectual property rights, investigate cyber crimes,
fight fraud and phishing and protect privacy online would in
our view fall outside the scope of this definition.
When the discussion became more broad, it was becoming
quite apparent that the change would be devastating to
businesses, consumers, and everyone who uses the Internet in a
positive way.
It galvanized many concerns about ICANN's stewardship of
the WHOIS system. At the early stage, more than 50
organizations, coalitions, entities, and individuals from over
12 different countries filed comments with ICANN arguing
against the narrow formulation of the purpose of WHOIS, and as
I believe you, Mr. Chairman, pointed out, even the American Red
Cross pointed out that it would have definitely have restricted
their ability to go after the fraudulent Web sites that were
trying to take money from citizens all in the name of helping
those who were victims of Hurricane Katrina.
After the Council vote in April, I would say an even more
remarkable broader sector of business and other interests
became quite concerned.
I would like to submit for the record letters from diverse
sectors, such as financial services, and hotel/lodging, as well
as intellectual property and anti-counterfeiting groups.
Chairman Bachus. Without objection, that will be allowed.
Mr. Bohannon. Finally, Mr. Chairman, I wanted to directly
acknowledge and thank you for your leadership. Your letter to
Secretary Gutierrez earlier this year provided very important
impetus and urgency to the development of a strong U.S.
Government position going into the ICANN meeting in Marrakech.
We want to thank you for that.
We also want to take the opportunity to acknowledge the
position that was presented by the U.S. Government delegation
at the ICANN meeting. Fortunately, their view was reinforced by
other governments that were in attendance, including the
consumer protection authority in The Netherlands, as well as
the representative from the Japanese Ministry of Information
and Communications.
While most of our discussion has really focused on public
access and why that is critical, we also want to make it clear
that it is essential, absolutely essential, to dramatically
improve the accuracy and reliability of WHOIS data.
The situation and the problem has been very well
documented. In a study released by the Government
Accountability Office last December, they estimated that the
WHOIS data on over 5 million domain names in .com, .net, and
.org, is either obviously false, incomplete, or simply could
not be found.
This high level of inaccuracy, in our view, significantly
undermines the purpose, the role, and the value of WHOIS to
consumers, to businesses, and to law enforcement.
The GAO study also clearly shows that the system that ICANN
put in place to address the problem simply is not working. GAO
investigators submitted complaints about blatantly false data
to the system, but after more than a month, the contact
information had been corrected in only one quarter of the
cases. At least half of the time, the phony data remained
unchanged and the domain name remained as active and accessible
as before the complaint was made.
This hearing comes at a critical juncture in the
relationship, in our view, between the U.S. Government and
ICANN. As you know and as we discussed, the MOU between them
ends on September 30th.
When the Memorandum was renewed 3 years ago, ICANN pledged
to take steps to improve the accuracy of WHOIS data. It also
promised to put in place an enhanced system for ensuring domain
name registrars and registries live up to their contractual
obligations. That is making the WHOIS data publicly accessible
and dealing directly with complaints about inaccurate data.
We understand that ICANN believes that it has fulfilled
these pledges under the MOU. Candidly, we do not agree with
this assessment. While we believe ICANN has taken some steps to
improve the system for receiving and processing complaints,
ICANN's own reports show that the system does not work as it
was designed to do.
ICANN has consistently shied away from taking on the more
difficult challenge of requiring registrars and registries to
take proactive steps, any steps, in our view, to actually
verify the information they are collecting to ensure that it is
accurate and reliable.
Mr. Chairman, as we look forward and ahead to working with
you on how best to ensure that ICANN does not set off down a
path that would lead to a reversal or substantial erosion of
the long-standing policy regarding making registrant contact
data accessible in real time without charge via the Web and
without substantial restrictions on use, we thank you for this
hearing.
We think that the policies are in our national interest, in
the interest of consumers and businesses worldwide, and in the
interest of promoting the healthy growth of the Internet as a
safe place to work, to play, and to do business.
[The prepared statement of Mr. Bohannon can be found on
page 69 of the appendix.]
Chairman Bachus. Thank you.
Mr. Rotenberg?
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Rotenberg. Thank you very much, Mr. Chairman. I
appreciate the opportunity to testify today. I ask that my
complete statement be entered into the record. I will summarize
for you the key points.
Chairman Bachus. Without objection, all of the panelists'
full written testimony will be entered into the record.
Mr. Rotenberg. Thank you, Mr. Chairman.
My organization, the Electronic Privacy Information Center,
EPIC, has been involved in the WHOIS debate pretty much since
the beginning. I, myself, am also the former chairman of the
Public Interests Registry, which manages the .org domain. We
developed, in fact, one of the best WHOIS practices, we
believe, of any of the domains operating on the Internet.
I am here this morning to present a view on behalf of
consumer organizations and non-commercial users of the
Internet, which is very much in support of the effort that
ICANN is currently making to protect the privacy of Internet
users.
I need to be clear about this point. I believe there was
some confusion on the first panel as to what the consumer
interest is regarding unrestricted and unaccountable access to
the WHOIS database.
Under the current ICANN policy for WHOIS, anybody who has a
connection to the Internet can go to this database and get the
personal contact information of anyone operating a Web site, a
political organization, an arts organization, a human rights
organization, a group of hobbyists who have set up a Web site
possibly in their living room or their basement--any person can
get access to that information and use it for any purpose.
That means that under the current ICANN policy, which the
other panelists appear to favor, the person who is committed to
fraud and spam and phishing has the exact same right of access
as the law enforcement agent or the consumer protection
official who is investigating crime.
This is clearly not a sensible approach to protecting the
interests of Internet users.
The problem is so serious, in fact, that as the other
panelists have noted, identity theft has become the number one
consumer complaint in the United States.
What did the Federal Trade Commission urge consumers to do
to protect themselves against this crime? They said be very
careful about putting your personal information on the
Internet, because it is your personal information, your home
address, your telephone number, and your e-mail address, that
makes it possible for others to commit types of fraud and crime
against you.
ICANN, taking into account the growing concern about
identity theft, while recognizing that law enforcement will
need access to investigate crime, has appropriately decided to
revise their policies for access to the WHOIS database.
The chairman of ICANN, Mr. Twomey, and the various interest
groups participating in this process, have not objected to law
enforcement access. That is not what the debate is about.
The debate is about whether there should be appropriate
safeguards to ensure that the millions of individuals who
provide information when they register an Internet domain will
not find that their personal information is being improperly
disclosed to others.
Just to make very clear how serious the link is between the
unrestricted access to WHOIS data and the problem of phishing,
which I gather to be a central concern of the hearing this
morning, the top phishing investigation and prosecution that
was pursued in the United Kingdom was against an individual who
took advantage of access to e-mail addresses that he could
obtain from the WHOIS Directory to commit the type of financial
crime that the other witnesses this morning are understandably
concerned about.
It is our view that a sensible and effective approach to
the use of WHOIS data is one that will allow people who
register Internet domain names to protect the privacy of their
personal information. It will still be made available to the
registrars. We are not saying contact information should not be
provided. We do believe it should be provided, but we think the
circumstances under which it should be disclosed should be
limited to appropriate and legal circumstances.
There is a very simple analogy here, Mr. Chairman, and that
is, of course, the driver's license and driver's record
information that all of us provide to the State DMV's as a
condition of the right to drive a car on a public roadway.
We make this information available to the Government, and
the Government needs to make use of that information oftentimes
to investigate crime and theft and accidents.
We would not say that the information in the State DMV
databases should be widely available to the general public for
any purpose it might choose. In fact, the Congress has wisely
chosen on several occasions to protect the privacy of just that
type of information so that it is not improperly used.
My point is simply this. If we protect the privacy of the
information that is collected to register an automobile and it
can still be accessed for law enforcement, for appropriate use,
should we not similarly protect the privacy of the information
that is provided to register a Web site?
It will still be available for appropriate use, but we do
not want it widely available to the public. It is contributing
to the problem of identity theft.
Thank you.
[The prepared statement of Mr. Rotenberg can be found on
page 103 of the appendix.]
Chairman Bachus. Thank you, Mr. Rotenberg.
My question is simply going to be, Mr. Bohannon, Mr.
Rotenberg gave a different view from the first panel or Ms.
Allen and you.
Would you respond to his arguments? Are they valid? How do
you deal with that?
Mr. Bohannon. Mr. Chairman, of course, Mr. Rotenberg and I
have worked on a number of things together. Sometimes we agree.
Sometimes we do not agree. I think on this one, we do not agree
on either the nature of the potential problem that he was
describing, much less the overall balance that is trying to be
struck here.
Let me try to address--if I miss a point, let me know.
Chairman Bachus. I will give Mr. Rotenberg the right to
respond.
Mr. Bohannon. I think the question no one on this panel is
arguing is that there are not real problems to address with
regard to identity theft and how we combat that. I think in
this Congress we have seen lots of discussion of that across
the board.
The question is whether the kind of information regarding
the kind of entities that are on the WHOIS database in fact
contributes in any way, much less in a meaningful way, to
identity theft, fraud, and anything else. With all due respect
to Mr. Rotenberg, I do not believe the evidence is there.
In fact, if you look at the kind of registrant technical
and administrative data that is on WHOIS, registrants, in fact,
their e-mail address are not publicly available. The only thing
you have to put as a registrant is your name and postal
address. Technical and administrative contacts, that is
different.
When you are talking about the actual registrant, we are
not talking about the kind of information that would be
associated with identity theft and leading to those kinds of
things.
Our view is that the overall balance to be struck here is
when my member companies get thousands of complaints in an hour
that they are getting fraudulent e-mail and being directed to
deceptive Web sites. What within minutes or hours can companies
do to shut those down and give their customers confidence that
they can do business?
At this point, there is no silver bullet. WHOIS becomes an
essential step in combating that. If we were to rely only on
law enforcement, we believe that it would dramatically hinder
our ability to go directly and help our customers when they are
being confronted with these kinds of attacks. It simply cannot
be done in minutes or hours.
As you know, Mr. Chairman, our organization has a long
history of working in a public/private partnership with law
enforcement to combat cyber crimes, intellectual property
theft. They do great work, but they cannot operate within
minutes or hours like our security offices and our customer
relationship folks are required to do.
Chairman Bachus. Thank you. The WHOIS data, are you
disputing that it is being used today to protect consumers and
to advance confidence in the Internet?
Mr. Rotenberg. I believe it is being used in both ways, Mr.
Chairman. I believe that the WHOIS data can be useful to
investigate certain types of activity. I think you have to be a
fairly sophisticated user to use the WHOIS data for that
purpose, because a person who intends to commit a crime online
is usually pretty good at concealing their actual identity, and
that includes the information they would provide for the WHOIS
database.
Chairman Bachus. Would you restrict some of the present
rights that consumers have?
Mr. Rotenberg. I am encouraging an approach that ensures--
it is the consumers' information, by the way, that is being
disclosed. There are two sides to this coin.
Chairman Bachus. If you operate a Web site and if you
communicate with someone and give them that Web site, then they
have a right, but if you didn't want them to have that
information, you just simply would not communicate with them;
is that right? Wouldn't that solve your problem?
Mr. Rotenberg. That could be.
Chairman Bachus. You obviously have some motivation for
communicating with that consumer.
Mr. Rotenberg. You may also be a non-commercial entity. As
I said, there are many people who register Internet Web sites
for non-commercial purposes. There are many human rights
organizations, I should point out, that have found that the
Internet is the most effective way they have for expressing
their political views and trying to bring democratic reform to
some of the governments in this world that need reform.
They are concerned that if their personal information were
made available to the governments in which they are operating,
they would be at serious personal risk.
If I may, Mr. Chairman, because I know other witnesses had
asked that certain information be entered into the hearing
record, on this particular point with Mr. Bohannon, I would
like to ask that an article that my staff found be entered into
the hearing record.
This concerns the spammer in the United Kingdom, if I could
just read two sentences.
It begins, ``Britain's most prolific spammer, currently
behind bars and facing a number of charges, has also just been
fined 81,000 pounds.''
It goes on to say he, ``Used Nominet's WHOIS database to
send out fraudulent domain name renewal invoices under the name
of Domain Registry Services.''
He had access to the WHOIS data, which made it possible for
him to commit the fraud.
Chairman Bachus. Is that the only case you are aware of?
Mr. Rotenberg. I am sure we could find many more, sir. I
just thought it was remarkable. He is the most well-known
spammer in Great Britain.
Chairman Bachus. You would agree there are literally
thousands, or tens of thousands, of examples of people who have
misrepresented their identity to consumers and thereby
committed identity theft or entered into fraudulent practices?
Mr. Rotenberg. Yes, sir. We certainly support those
prosecutions. As I said, we have worked with the Federal Trade
Commission and encouraged prosecutions of fraud that does
jeopardize the interests of consumers.
We do believe that the interests of consumers are also
jeopardized when their personal information is made available
online.
Chairman Bachus. Since this WHOIS database was set up,
since day one, consumers have had this information that you are
now advocating be withheld from them; is that right?
It's a change to the status quo.
Mr. Bohannon and Ms. Allen are basically arguing for the
status quo, and as I understand it, you are arguing that the
consumers' right to know be limited.
You have given as a legitimate reason the protection of the
privacy of the Web site operators.
Am I wrong?
Mr. Rotenberg. From our perspective, Mr. Chairman, the
consumer right here is the ability to control the disclosure of
their personal information.
Chairman Bachus. Are the Web site operators, I would say 90
percent--it is my understanding you are limiting the right of
consumers to get that information which they presently have. Am
I right?
Mr. Rotenberg. We would certainly allow access for
appropriate purposes, as I mentioned at the beginning. I was
chairman of the .org domain. We are the third largest generic
top level domain name. There are millions of people who
register .org domain addresses. Many of them are for non-
commercial purposes.
Chairman Bachus. Thank you. Mr. Bohannon? I'm sorry. My
time has expired. Mrs. Maloney?
Mrs. Maloney. Thank you. I would like to ask all of the
witnesses. I think we all agree that access to the database can
be useful, but can also be a tool for identity theft.
Why not segregate the most sensitive information and keep
that private so a consumer might still be able to see who
contacted them, but might not get the sensitive personal data
that could allow them to set up a fake account in their name?
Could you respond to that? In other words, limiting the
amount of information. You can get a name but not the address,
so you cannot use that sensitive information.
Ms. Allen. Maybe I will start by responding. I think when
we are talking about access to the WHOIS database, the only
sensitive data is their name, address, telephone number, and in
the case of the administrative contact, their e-mail, but there
is no financial information that is available.
As the financial industry, we are looking to be able to
track back who owns a Web site or maybe the genesis of an e-
mail that may be used for phishing to go capture that
information from a bank or from consumers.
In the WHOIS database, there is no sensitive data other
than the name, address, and e-mail of who owns that database.
Mrs. Maloney. Any other comments?
Mr. Bohannon. I think it is important to understand that,
in fact, the WHOIS database is already carefully balanced to
make sure that sensitive information like billing information
the registrars get from the registrants, that is clearly not
put on the Web sites. I think we need to recognize that is
already a limitation.
I will reiterate my point from earlier, which is you will
not find the sensitive information of registrants on WHOIS. You
will find their name and postal address. What you will find is
contact information for either technical or administrative
contacts. In that context, the Nominet example, I think, is
very useful. It was a very well-publicized case about 2 years
ago.
The system worked. The individual was engaging in illegal
spam. Illegal because the registrar accreditation agreement
that ICANN has in place precludes use of the information for
precisely the kinds of activities the gentleman in the Nominet
situation was engaging in.
Our view is that ICANN needs to do more to enforce those
agreements, to make sure that the limitations on WHOIS data
that already exist are meaningful and are not abused.
When we hear the word, ``individual,'' we need to be
careful here. What was involved in almost 99.9 percent of those
cases were individuals who were not there as consumers, but
individuals who were there in a corporate capacity.
Take me, for example. I have my name and e-mail address on
our Web site. Is that me as an individual? Yes. It is me in my
capacity representing my members. That is, in fact, the kind of
information that this gentleman used, and to reiterate, he
engaged in violation of existing ICANN policies, and we think
ICANN should be doing more to make sure those policies are
enforced.
Mr. Rotenberg. I think what you have outlined is, in fact,
a sensible and effective approach that many organizations and
experts and Government officials who are participating in this
process at ICANN hope will result.
As the other witnesses have indicated, this policy is still
under discussion and a number of different approaches have been
put forward. I think there has been very good input.
I believe that a sensible solution is one that will
restrict access to personal information and still leave some
point of contact for accountability and investigations when
appropriate.
Mrs. Maloney. I would like to ask each of you whether you
agree there should be different standards for accessing WHOIS
depending on whether an Internet registrant is commercial or
non-commercial.
Mr. Rotenberg. I will say on this point that I know the
Federal Trade Commission has proposed this distinction. I think
there is certainly some support for this.
A business that holds itself out should be accountable and
there should be a point of contact for a business, and we
wouldn't necessarily have the same expectation for a non-
commercial entity on the Internet.
I think as a broad solution to the WHOIS issue, as my
testimony suggests, there will need to be a point of contact
for all registrants.
One approach may be to allow proxy registrations so that
individuals, for example, will have a buffer, if you will, so
that it is still possible to reach someone when necessary, but
they won't be directly exposed online.
Mr. Bohannon. I think the discussions that are underway
about the subject are very helpful, and we are participating
actively in them.
Congresswoman, I think at this stage, there is little that
provides comfort that this could be put into place either
operationally or from a practical point of view.
I think even the FTC has acknowledged in its statement that
until those are resolved, everything should be publicly
accessible, and that there needs to be more information
gathered.
Let me just say that the question of commercial versus non-
commercial is a tricky one. My organization, SIIA, is a
501(c)(6). Technically, we are a non-profit under the tax laws.
Am I therefore a non-commercial entity who should have my
information restricted? That makes no sense whatsoever, since
we are actively engaging and holding ourselves out to the
public, even though we do not pretend to make a profit.
I think you need to be very careful about the language of
non-commercial and commercial when in reality, entities,
individuals, organizations that are using a publicly available
Web site to promote themselves, to engage in education, and to
do other things, are holding themselves out to the public.
I think one point that has been missed, if I could just
take a second, if an individual wants, for political or other
purposes, to be able to communicate in a meaningful way,
getting a Web site, in my humble opinion, is probably the last
thing you want to do.
There are lots of ways you can do it through blogs and
others that are not registered at the top level domain that I
think can be doing exactly the kind of things Mr. Rotenberg
talked about, but which avoid, I think, some of the points that
are being made.
Quite frankly, if I were engaging in political dissidence,
the last thing I would want is a Web site. I would want to
figure out how to use an appropriate proxy service or something
else, and those are all provided under very clear rules under
the ICANN.
This notion that Web sites are nothing, I think we need to
get pass that in terms of addressing some of the communication
issues that have been discussed here.
Mr. Rotenberg. Could I respond to that?
Mrs. Maloney. Absolutely.
Mr. Rotenberg. I am actually really struck by Mr.
Bohannon's comment. I find it extraordinary that an association
that represents leading technology companies in the United
States would discourage political speakers from taking
advantage of the Internet and establishing Web sites.
Mr. Bohannon. I am sorry. That is not what I said. That is
incorrect.
Mr. Rotenberg. I believe that is exactly what you--
Mr. Pearce. [presiding] Could the gentlemen suspend?
Mrs. Maloney. Ms. Allen, if you would respond to the
commercial and non-commercial.
Ms. Allen. I would. We draw no distinction. In fact, we
support the Department of Commerce's position, and believe in
transparency. A lot of it has to do with going after the bad
guys.
BITS just had a conference last week on anti-money
laundering. We were looking at the growth of fraud on the
Internet and concerns about the bad guys, and the correlation
that has with the charities that sometimes are fronts for
terrorism groups, and that they are using that as one of the
ways that they do funding.
I think it is important that we have transparency and that
it could be a not-for-profit or a for-profit or an individual
who has a Web site that may be a bad guy, and we want to be
able to have access to that.
Mr. Pearce. The gentlelady's time has expired. I would
request unanimous consent to enter into the record a statement
by Lynn Goodendorf. She is the vice president for information
privacy protection for the Intercontinental Hotels group, and
then also a letter from Mr. Fred Becker, Jr., National
Association of Federal Credit Unions. Without objection, those
will be entered into the record.
Mr. Rotenberg, on page six of your testimony, you declare
that governments are trying to crack down on human rights
groups by extending identification requirements for Internet
users.
I suspect that is something you would object to.
Mr. Rotenberg. We do, sir. We work with human rights
organizations all around the globe. We are particularly
concerned about those organizations that are pursuing
democratic reform--
Mr. Pearce. Sir, if I can go ahead and ask you the
question. What position did you all take when Google went ahead
and decided to cooperate with China?
It is my understanding they were providing information on
who searched the word, ``democracy,'' who searched for words.
What did you all publicly do? What did your organization
say about that publicly? What was your position?
Mr. Rotenberg. We took no formal position and we were not
asked to appear before the committee that held the hearing on
this issue. We did express our opposition to Google's support
for the Chinese based search engine, .cn.
The practice impact of that search engine is to restrict
access to information on the Internet that the Chinese
Government does not want the Chinese people to receive.
We did not support that.
Mr. Pearce. You took no public position, but you are taking
a public position now that would provide consumers with access
to information? Am I characterizing that accurately?
Mr. Rotenberg. Sir, I would be happy--
Mr. Pearce. I am asking a question. You are taking a public
position on restricting access to consumers. Is that your
position?
Mr. Rotenberg. We do not believe we are restricting access
to consumers.
Mr. Pearce. If I could then go to page three of your
documentation, you quote from the Public Interest Registry
that, ``As the Internet and the number of its users has grown,
the justification for making WHOIS data publicly available is
no longer applicable.''
Did you quote something you did not believe?
Mr. Rotenberg. I do. I very much support that statement.
Mr. Pearce. My position still stands. It appears that you
are supporting restricting access to consumers, but you are not
unwilling to speak to Google publicly when they identify people
for the government of a fairly repressive regime.
I really want to get my feet underneath me as far as your
positions are concerned.
Mr. Rotenberg. I certainly appreciate the question, and if
I can clarify my response, I apologize if I have not been
clear.
We were opposed to what Google did with respect to the
search.
Mr. Pearce. You did not take a public position, right?
Mr. Rotenberg. To the extent that we were asked our views,
that is what we said. As to the public availability and the
statement from the Public Interest Registry, which we cite in
our statement, we think it is an excellent point that was made
in support of WHOIS privacy.
Mr. Pearce. Can I ask you, in that same quote, ``As the
Internet and the number of its users has grown, the
justification for making WHOIS data publicly available is no
longer applicable,'' how does it affect privacy concerns if we
affect the privacy of more rather than fewer, the logic of that
position is a little bit untenable. It seems like we would be
interested in protecting the privacy of even a single
individual, yet the quote specifically states now that the
number of people is larger, now we have cause for concern and
we are going to take a position.
I am not following that logic.
Mr. Rotenberg. I believe the point that is being made in
the statement and is one that is generally understood at the
ICANN, is when the data was originally available, it was to
technologists for the technical purpose of maintaining the
security and stability of the Internet.
What has happened over time because it is more widely
accessible to more people, it is creating new privacy risks
that did not previously exist.
That is why we have the problem of identity theft and
phishing and spam.
What the Public Interest Registry is expressing here is the
recognition, which I believe ICANN is agreeing with, that in
this environment, the unrestricted access to personal
information poses new privacy risks.
Mr. Pearce. I had asked the previous panel if it were
possible if all Web sites had a link straight to the WHOIS
database. I suspect you would be opposed to that.
Mr. Rotenberg. I think it could be helpful for consumers
who are dealing with businesses online.
Mr. Pearce. No, I did not ask about businesses. I said,
``all.'' It goes back to the discussion about my granddaughter,
what Web sites might be misleading my granddaughter.
I think there would be a very good reason to have the
capability for a parent to go in and check to see who exactly
is talking to a daughter in non-commercial means.
You would oppose that?
Mr. Rotenberg. I would be concerned that the same policy
might be applied to a Web site that your granddaughter would
choose to create on the Internet. I think she would have a
privacy interest in protecting--
Mr. Pearce. If my granddaughter wants to go on the Internet
and begin to represent herself as someone, I think she should
be responsible enough to be asked who she is and where she is
located. I do not fear that at all. It is part of transparency.
Mr. Baca, it is time for you to ask questions.
Mr. Baca. Thank you very much. Let me ask all three of you
just a simple question at the very beginning, and you can just
answer it yes or no.
Dealing with identity theft, it seems like individuals now
can obtain any kind of information, more information, using the
Web sites and the Internet. It has become a serious problem
because some people may give out a little bit more information,
so therefore, they have access.
Is that true? Just for the record, yes or no?
Mr. Rotenberg. I would say yes, it is a risk when people
make more information available online. It can be misused.
Mr. Bohannon. I am not sure I understand your question,
Congressman.
Mr. Baca. Right now, since we have a lot of identity theft,
is there a probability that now more individuals are at risk
because they are using the Web sites, they are using the
Internet, that they are giving out a lot more information, so
therefore, other individuals may have access to that
information? Yes or no? Just a simple yes or no.
Mr. Bohannon. I apologize. The question you are asking is
of course, way beyond the scope of this hearing. I am trying to
make sure I give you--
Mr. Baca. We are talking about theft, fraud, the Internet.
Mr. Bohannon. If I make more information available online
or offline, yes.
Mr. Baca. Thank you.
Ms. Allen. The answer is yes, and right now, more identity
theft comes from off line, from dumpster diving, than online.
Mr. Baca. Thank you. The next question is what steps can
consumers take to protect themselves against phishing, which is
number one? This question is for Mr. Rotenberg.
Is there a one-stop-shop of information that I can refer
them to?
Mr. Rotenberg. The main advice we give to consumers is to
know the Web sites that they are dealing with, and to limit the
amount of personal information they provide, but when they do
run into trouble, we encourage them to visit the Web site of
the Federal Trade Commission, the Privacy Rights Clearinghouse,
and also the Identity Theft Resource Center, all very good
resources for consumers.
Mr. Baca. Thank you.
Mr. Bohannon. I think Mr. Rotenberg outlined a number of
very important steps. The other thing that virtually every
company that does business has developed is a means to get from
their customers examples.
I, for one, use a very popular online payment service
personally. I send to spoof@ that entity so many times a day
that I think it helps them keep up with what is going on.
I think it is very important in addition to the examples
that Mr. Rotenberg talked about, to be in direct contact with
the company that you are doing business with so that they know
and they can tell you whether or not it is legitimate or not.
Mr. Baca. Ms. Allen?
Ms. Allen. The same thing, consumer education and knowing
who you are doing business with.
Mr. Baca. My next question is is there some kind of
educational program that we could put out to our consumers
right now? All three of you suggested some ideas. The problem
is that many of our consumers are not aware there is this
information that they could access or go through.
How can they find out information, or is something we
should be doing even here at the national level, developing
some kind of educational consumer awareness?
Mr. Rotenberg. I think the Federal Trade Commission has
done some good work in this area. I think the businesses are
also doing a fairly good job trying to encourage consumers to
learn more about doing business online.
Part of the problem, Congressman, is that things are
changing very quickly. Technology is changing quickly.
Businesses are changing quickly. A year ago, no one had heard
of MySpace. Today, it is the number one Web site. It has a big
impact on the privacy of our children.
It takes a lot of time and effort to stay up to date with
these developments.
Mr. Baca. One other question. A lot of us, under the
identity theft and fraud that is going on, a lot of us sit
home, it doesn't matter who we are, and get a lot of the
telemarketers who call us almost on a daily basis. Now, at
least we have developed a block number so we can block some of
those out.
Is there a computer type system available where we can
actually block some of this out? That is where a lot of the
identity theft and fraud also occurs, and I don't know if our
consumers are aware if there is some type of a system that is
available that can block out, like we do block out numbers.
Right now, anybody can get into the Web site, the Internet, e-
mail.
Is there such a system that is being developed, and if
there is, some of us need to be educated. Maybe I am not aware.
Mr. Rotenberg. Congressman, as you indicated the Do Not
Call legislation was extremely successful. There were more than
100 million consumers who signed up for that. It did reduce the
amount of telemarketing and the phone calls at dinner time.
There have been proposals since for a Do Not E-Mail list,
but it is not clear those would be effective. Most of the
efforts to restrict the amount of spam that consumers receive
are working forward on the technology front and not so much on
the legislative front.
Mr. Baca. Could you elaborate? Why would it not be
effective? You said it may not be effective?
Mr. Rotenberg. There are many reasons. One of them is that
e-mail addresses can be imprecise. They can change. It can be
difficult to identify the originator of an e-mail
communication. It is also very inexpensive to send millions and
millions of e-mails.
It turned out that it worked, the Do Not Call list worked
particularly well for telemarketing because of the structure of
the industry and the ability with legislation to limit some of
the more invasive practices.
Mr. Pearce. The gentleman's time has expired. Ms. Kelly?
Mr. Baca. Could I have Mr. Bohannon's answer?
Mr. Pearce. One moment, Ms. Kelly. We have one more answer.
Mr. Bohannon. Again, Mr. Rotenberg and I often agree on
many things, and this is one. I would just refer to the
Congressman and the committee a very thoughtful study that was
done by the FTC in response to Congress on this very question,
where they identified not only many of the practical issues
that Mr. Rotenberg identified, but you can imagine a hacker--a
hacker would spend every night for a year trying to figure out
how to hack this database.
A, he knows or she knows they are legitimate e-mail
addresses. If he ever gets ahold of them, he could spam
everyone in the world.
I think there are a number of issues that come up with a
registry like approach and Do Not Call, but the other point I
would add to the very thoughtful comments is I think there are
some good tools out there to help you in managing some of this.
They are not perfect. Some of them are my members.
I do think it is important to know the tools that are out
there, keep them up to date, and know how to use them so you
become as sensitized and are as aware of what is trying to get
to you, both good and bad.
Mr. Baca. As we do that, we have to simplify it for some of
us who are not technology connected. It needs to be very
simple.
Mr. Bohannon. I can tell you some suggestions. I am not
allowed, of course, to promote particular products here.
Mr. Pearce. Thank you. Ms. Kelly?
Ms. Kelly. Thank you very much, Mr. Chairman.
You three were in the room when I was asking a question of
ICANN and the Commerce Department. My question to you is do you
think the Commerce Department ought to require ICANN to carry
out random audits of the register and the WHOIS data
procedures?
Let me start down at the other end, Mr. Rotenberg.
Mr. Rotenberg. Thank you, Congresswoman. I think audits
could be helpful, if you were trying to encourage accuracy, but
I also think that our privacy safeguards would encourage
accuracy.
One of the reasons that people provide inaccurate
information or incomplete information is because they
understand that it will be widely available to anybody,
including stalkers, spammers, and phishers.
I think the Department of Commerce, which has an
understandable interest in promoting accuracy, could advance
that goal through support for better privacy.
Mr. Bohannon. Thank you for your question, Congresswoman. I
think it is our view that, as the MOU is reviewed and ICANN's
commitments under the MOU are evaluated, I think those kinds of
concrete things that ICANN under the existing arrangement has
set out to do to improve accuracy and reliability need to be
clearly documented, and I think as the MOU is renewed and
reviewed, there may be a need to get more specific in terms of
the Department of Commerce's expectations, and I think audits,
random audits, is one example.
Ms. Allen. I agree there could be more that ICANN does in
terms of positive reinforcement, proactive audits. There is
more that others in the community, such as ISP's, could do,
that could also help to stop the fraud.
Also, by having transparency, there is a self-policing
effort, the fact that as consumers and/or businesses see there
are fraudulent sites, report them and help to shut them down.
That is part of the process as well.
Ms. Kelly. I noticed in some of the testimony, you were
talking about the privacy of users and not the accuracy of
information.
One of the questions I have is whether or not there should
be a procedure in place of some sort so that people can appeal
to the registrar on something that is a decision, some sort of
a registrar decision on not to act on a false WHOIS data that
is reported to it, because the registrar can make that choice
right now.
It looks to me as though there is no penalty attendant to
misinformation or to privacy theft at the present moment, in
terms of whether or not the registrar acts.
I am wondering if we could again start with you, Mr.
Rotenberg.
Mr. Rotenberg. I think for the most part, the registrars
have tried to stay out of the role of enforcing accuracy
requirements. I think it could certainly be in the context of
RAA's, which is the agreements that the registrars sign to sell
the domain names, to impose accuracy requirements is one way to
accomplish that goal.
As I said, I still think the privacy safeguards would work,
because individuals would be less likely to provide inaccurate
information.
Ms. Kelly. For anyone to plead a right to privacy, people
need to remember there is no right to privacy on inaccurate
information.
Mr. Rotenberg. Congresswoman, if I may give an analogy, to
the white pages and the phone books. I used to look at those. I
was interested in how people protected their privacy in a very
similar directory. A lot of people do not list their home
address. A lot of women give a first initial instead of the
complete first name.
You can say that is incomplete maybe, not inaccurate, but
it is clearly done with the goal of protecting privacy.
I think some of that happens with the WHOIS directory as
well.
Ms. Kelly. That is not misinformation. That was my point.
Mr. Rotenberg. Okay.
Ms. Kelly. Mr. Bohannon?
Mr. Bohannon. I think you are asking a very important
question, Congresswoman. I think our view is that 3 years ago,
ICANN made very specific commitments in these areas.
I think in my prepared remarks, I am very clear that while
ICANN believes it has met those commitments, we feel they have
really come up short.
They, in fact, did implement a process called the WHOIS
data problem reporting system. It was supposed to address many
of these questions.
As the GAO study found, it simply is not proving effective.
The GAO found that less than a quarter of the complaints they
filed--that they intentionally submitted and filed--were taken
care of, and much of the misinformation or inaccurate
information was never corrected.
Our view is that we have a framework in place. Let's make
sure it is effectively enforced by ICANN and we do not have to
go out and re-invent the wheel. Let's get the existing system
working right. I think that does require some responsibility on
the part of ICANN to do that.
Ms. Kelly. Do you think that penalties of some sort imposed
by the Commerce Department might be of benefit there?
Mr. Bohannon. I think my view is what we need to do is get
ICANN to recognize that in its role, it needs to be in direct
relationship with the registrars and use that relationship.
It needs to find, I think, a creative way, other than just
de-certifying the registrar, which quite frankly right now is
the only thing they can do. That may be too much of a response.
We need to find some gradations here.
We are prepared in working with the registrars and all the
communities of interest to find appropriate ways so that we can
make these realistic commitments enforceable and workable and
to everyone's interest.
Ms. Kelly. Thank you. Ms. Allen?
Ms. Allen. I wanted to distinguish between misinformation
or inaccuracies with criminal intent, which I think that is why
we want law enforcement and financial institutions to be able
to have access to this information, to go after those players.
It is the second part of it, misinformation, that may be
from marketing or a misrepresentation from a business point of
view, but looking for responsibility in enforcement. There are
some mechanisms in place that ICANN has not lived up to, and I
think that is something that needs to be communicated in the
contracts and MOUs.
Ms. Kelly. Thank you very much. My time is up, Mr.
Chairman. Thank you.
Mr. Pearce. I thank the gentlelady. The Chair notes that
some members may have additional questions for this panel,
which they may wish to submit in writing.
Without objection, the hearing record will remain open for
30 days for members to submit written questions to these
witnesses, and to place the responses in the record.
I thank the witnesses from both panels. With that, this
hearing is adjourned.
[Whereupon, at 2:02 p.m., the subcommittee was adjourned.]
A P P E N D I X
July 18, 2006
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
�