[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]




                    ICANN AND THE WHOIS DATABASE:

                      PROVIDING ACCESS TO PROTECT

                        CONSUMERS FROM PHISHING

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
               FINANCIAL INSTITUTIONS AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 18, 2006

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 109-108












                    U.S. GOVERNMENT PRINTING OFFICE

31-537 PDF                  WASHINGTON : 2007
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax:  (202) 512-2250. Mail:  Stop SSOP, 
Washington, DC 20402-0001






                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana          PAUL E. KANJORSKI, Pennsylvania
DEBORAH PRYCE, Ohio                  MAXINE WATERS, California
SPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York
MICHAEL N. CASTLE, Delaware          LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             MELVIN L. WATT, North Carolina
ROBERT W. NEY, Ohio                  GARY L. ACKERMAN, New York
SUE W. KELLY, New York, Vice Chair   DARLENE HOOLEY, Oregon
RON PAUL, Texas                      JULIA CARSON, Indiana
PAUL E. GILLMOR, Ohio                BRAD SHERMAN, California
JIM RYUN, Kansas                     GREGORY W. MEEKS, New York
STEVEN C. LaTOURETTE, Ohio           BARBARA LEE, California
DONALD A. MANZULLO, Illinois         DENNIS MOORE, Kansas
WALTER B. JONES, Jr., North          MICHAEL E. CAPUANO, Massachusetts
    Carolina                         HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois               RUBEN HINOJOSA, Texas
CHRISTOPHER SHAYS, Connecticut       JOSEPH CROWLEY, New York
VITO FOSSELLA, New York              WM. LACY CLAY, Missouri
GARY G. MILLER, California           STEVE ISRAEL, New York
PATRICK J. TIBERI, Ohio              CAROLYN McCARTHY, New York
MARK R. KENNEDY, Minnesota           JOE BACA, California
TOM FEENEY, Florida                  JIM MATHESON, Utah
JEB HENSARLING, Texas                STEPHEN F. LYNCH, Massachusetts
SCOTT GARRETT, New Jersey            BRAD MILLER, North Carolina
GINNY BROWN-WAITE, Florida           DAVID SCOTT, Georgia
J. GRESHAM BARRETT, South Carolina   ARTUR DAVIS, Alabama
KATHERINE HARRIS, Florida            AL GREEN, Texas
RICK RENZI, Arizona                  EMANUEL CLEAVER, Missouri
JIM GERLACH, Pennsylvania            MELISSA L. BEAN, Illinois
STEVAN PEARCE, New Mexico            DEBBIE WASSERMAN SCHULTZ, Florida
RANDY NEUGEBAUER, Texas              GWEN MOORE, Wisconsin,
TOM PRICE, Georgia                    
MICHAEL G. FITZPATRICK,              BERNARD SANDERS, Vermont
    Pennsylvania
GEOFF DAVIS, Kentucky
PATRICK T. McHENRY, North Carolina
CAMPBELL, JOHN, California

                 Robert U. Foster, III, Staff Director
       Subcommittee on Financial Institutions and Consumer Credit

                   SPENCER BACHUS, Alabama, Chairman

WALTER B. JONES, Jr., North          BERNARD SANDERS, Vermont
    Carolina, Vice Chairman          CAROLYN B. MALONEY, New York
RICHARD H. BAKER, Louisiana          MELVIN L. WATT, North Carolina
MICHAEL N. CASTLE, Delaware          GARY L. ACKERMAN, New York
EDWARD R. ROYCE, California          BRAD SHERMAN, California
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
SUE W. KELLY, New York               LUIS V. GUTIERREZ, Illinois
RON PAUL, Texas                      DENNIS MOORE, Kansas
PAUL E. GILLMOR, Ohio                PAUL E. KANJORSKI, Pennsylvania
JIM RYUN, Kansas                     MAXINE WATERS, California
STEVEN C. LaTOURETTE, Ohio           DARLENE HOOLEY, Oregon
JUDY BIGGERT, Illinois               JULIA CARSON, Indiana
VITO FOSSELLA, New York              HAROLD E. FORD, Jr., Tennessee
GARY G. MILLER, California           RUBEN HINOJOSA, Texas
PATRICK J. TIBERI, Ohio              JOSEPH CROWLEY, New York
TOM FEENEY, Florida                  STEVE ISRAEL, New York
JEB HENSARLING, Texas                CAROLYN McCARTHY, New York
SCOTT GARRETT, New Jersey            JOE BACA, California
GINNY BROWN-WAITE, Florida           AL GREEN, Texas
J. GRESHAM BARRETT, South Carolina   GWEN MOORE, Wisconsin
RICK RENZI, Arizona                  WM. LACY CLAY, Missouri
STEVAN PEARCE, New Mexico            JIM MATHESON, Utah
RANDY NEUGEBAUER, Texas              BARNEY FRANK, Massachusetts
TOM PRICE, Georgia
PATRICK T. McHENRY, North Carolina
MICHAEL G. OXLEY, Ohio


















                       C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    July 18, 2006................................................     1
Appendix:
    July 18, 2006................................................    37

                               WITNESSES
                         Tuesday, July 18, 2006

Allen, Catherine, CEO, BITS/Financial Services Roundtable........    17
Bohannon, Mark, General Counsel and Senior Vice President, 
  Software and Information Industry Association..................    20
Harrington, Eileen, Deputy Director, Bureau of Consumer 
  Protection, Federal Trade Commission...........................     4
Kneuer, John M.R., Acting Assistant Secretary of Commerce for 
  Communications and Information and Administrator of National 
  Telecommunications and Information Administration, U.S. 
  Department of Commerce.........................................     3
Rotenberg, Marc, Executive Director, Electronic Privacy 
  Information Center.............................................    22

                                APPENDIX

Prepared statements:
    Bachus, Hon. Spencer.........................................    38
    Waters, Hon. Maxine..........................................    42
    Allen, Catherine.............................................    46
    Bohannon, Mark...............................................    69
    Harrington, Eileen...........................................    82
    Kneuer, John M.R.............................................    97
    Rotenberg, Marc..............................................   103

              Additional Material Submitted for the Record

    Statement of the American Intellectual Property Law 
      Association................................................   115
    Statement of Lynn Goodendorf.................................   117
    Letter from National Association of Federal Credit Unions....   121
    Various letters to Internet Corporation for Assigned Names 
      and Numbers (ICANN)........................................   123








 
                     ICANN AND THE WHOIS DATABASE:
                      PROVIDING ACCESS TO PROTECT
                        CONSUMERS FROM PHISHING

                              ----------                              


                         Tuesday, July 18, 2006

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:07 a.m., in 
room 2128, Rayburn House Office Building, Hon. Spencer Bachus 
[chairman of the subcommittee] presiding.
    Present: Representatives Bachus, Kelly, Gillmore, 
Hensarling, Pearce, Maloney, Moore of Kansas, Baca, and Clay.
    Chairman Bachus. Good morning. The subcommittee will come 
to order. I have, in the interest of time, submitted a written 
statement for the record, but I'm going to shorten my opening 
statement.
    At today's hearing, we will focus on proposals before the 
Internet Corporation for Assigned Names and Numbers, ICANN, 
that would limit the public's access to domain name 
registrants' contact information via the WHOIS database.
    This would put many long-standing and valuable uses of this 
data off limits and can make it difficult for law enforcement 
and financial institutions to identify, block, shut down, and 
in some cases, prosecute, the perpetrators of online financial 
fraud.
    It has always been ICANN's policy to collect contact 
information from registrants of Internet domain names and make 
it available to the public.
    This policy helps to promote accountability online, since 
consumers, financial regulators, and others seeking to 
determine who or what entity is responsible for a particular 
Web site or other online location can obtain this data through 
a service called WHOIS.
    Financial institutions, which are the focus of this 
hearing, use WHOIS data to combat identity theft and account 
fraud, particularly as it relates to phishing.
    The financial services industry is currently battling 
phishing scams at an unprecedented level. In May 2006, the 
Anti-Phishing Working Group, which is comprised of financial 
institutions, ISP's, and law enforcement, reported merely 
12,000 phishing sites, which on average remained online for 5 
days. These sites hijacked the brands of 137 companies in an 
attempt to fraudulently gain access to sensitive consumer 
information.
    Notwithstanding the critically essential and legitimate 
uses of the WHOIS database, ICANN is actively considering a 
policy change to restrict WHOIS data to those who resolve, 
``technical issues.'' If this change is adopted, public access 
to most of the data now in the WHOIS database would be denied, 
perhaps including data as fundamental as the name of the domain 
name registrant.
    I am concerned such proposals limiting the use of the 
information for resolving technical issues will make it 
difficult for financial institutions to respond effectively to 
identity theft and phishing attempts.
    Timely response to these attacks and identity theft is 
critical to protect financial institutions as well as innocent 
customers who are most often unaware of their victimization.
    In many cases, the only tool financial institutions have 
for identifying registrants or purported registrants of domain 
names in a timely manner is via the WHOIS contact information. 
Such uses of WHOIS data would become slower, more difficult and 
expensive, if not impossible, were ICANN to adopt the policy 
now being proposed.
    I am hopeful that today's hearing will enlighten and inform 
the committee as we address what could be a serious setback for 
attempts to combat identity theft and fraudulent financial 
transactions.
    Let me just say the bottom line is that continued full 
access to WHOIS data, I believe, is an important tool in the 
fight against fraudulent activity against consumers online.
    Mr. Moore, I'll recognize you for an opening statement.
    Mr. Moore of Kansas. Thank you, Mr. Chairman, for convening 
this hearing. I do not have an opening statement. I look 
forward to the statements of the witnesses. Thank you.
    Chairman Bachus. Let me just say that I want to take this 
opportunity to thank you for your participation on the 
committee. You are a valuable member and discharge your duties 
in a very professional way. I very much value your advice and 
input.
    Mr. Hensarling?
    Mr. Hensarling. [Off microphone]
    Chairman Bachus. Thank you, Mr. Hensarling. I could very 
well say the same thing about you. I appreciate your 
participation in the hearing.
    Our first panel is made up of Mr. John Kneuer, Acting 
Assistant Secretary of Commerce for Communications and 
Information, and Administrator of National Telecommunications 
and Information Administration, U.S. Department of Commerce, 
and Ms. Eileen Harrington, Deputy Director, Bureau of Consumer 
Protection, Federal Trade Commission.
    I have reviewed both of your resumes, and they were both 
very impressive. We welcome both of you to the hearing.
    Mr. Kneuer, we will start with your testimony.

 STATEMENT OF JOHN M.R. KNEUER, ACTING ASSISTANT SECRETARY OF 
 COMMERCE FOR COMMUNICATIONS AND INFORMATION AND ADMINISTRATOR 
OF NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION, 
                  U.S. DEPARTMENT OF COMMERCE

    Mr. Kneuer. Thank you, Chairman Bachus, and members of the 
committee. I am pleased to have this opportunity to address 
recent developments related to ICANN and the WHOIS databases, 
and the role of the Department of Commerce in this critical 
area.
    The Department strongly supports continued access to an 
accurate, searchable, and publicly available WHOIS database. 
This data is critical to meeting a variety of public policy 
objectives, including law enforcement and consumer protection.
    We have been proactively advocating this position at the 
meetings of ICANN and elsewhere.
    Under the Memorandum of Understanding (MOU) between the 
Department and ICANN, ICANN has agreed to continue to assess 
the operation of the WHOIS databases and to implement measures 
to ensure secured improved accuracy of WHOIS data.
    In accordance with those specific provisions, ICANN has 
published three annual reports that provide information on 
community experiences with the WHOIS database's problems 
reporting system.
    While ICANN has full oversight of the WHOIS databases, 
there has been some concern about ICANN's generic name 
supporting organization, the GNSO, and the policy development 
process it has initiated, which among other things seeks to re-
define the purpose of WHOIS data.
    In April 2006, the GNSO Council voted in favor of a new 
definition of the purpose of WHOIS data that is, ``To resolve 
issues related to the configuration of the records associated 
with the domain name within a DNS name server.''
    This definition is considered by many, including the U.S. 
Government, as a narrow technical definition.
    We have been working within the ICANN process to address 
this concern.
    It is important to understand that this definition reflects 
only the views of the GNSO Council, and it does not currently 
reflect a change in ICANN policies or procedures. Indeed, 
before any change is contemplated, it must be submitted to the 
ICANN Board for adoption, and before the Board takes any 
action, other ICANN constituencies, including governments 
through the Government Advisory Committee, will have an 
opportunity to express their views into the process.
    Just last month in Marrakech, Morocco, at the ICANN Board 
meeting, the U.S. Government submitted a formal statement into 
the Government Advisory Committee expressing our concerns. I 
have included that statement for the committee's record.
    Our concern is as it is now a technical definition, it 
would hinder continued access to that database for a range of 
legitimate, critical Government uses, including law 
enforcement, protection of intellectual property rights, and 
consumer protection.
    I think it is important to note that this statement that we 
submitted reflects not just the views of the Commerce 
Department but the views of the Justice Department, the views 
of the State Department, Homeland Security, the Federal Trade 
Commission, the FBI, the IRS, and the Patent and Trademark 
Office.
    In developing this position with the U.S. Government, we 
have also undertaken considerable outreach to other 
constituencies, including the financial services sector.
    We facilitated a meeting between U.S. agencies and the 
companies associated with the Financial Services Roundtable, to 
discuss their concerns, and we are continuing to work with 
these and other interested parties to make sure their views are 
reflected in the ICANN decision making process before any 
formal changes of policy are considered.
    We have also been working closely with other national 
governments to develop more formal public policy positions, so 
those views on the purpose and use of WHOIS data can also be 
reflected.
    Finally, I would also note that the ICANN Board passed a 
resolution in June that acknowledges the open dialogue between 
the Government Advisory Committee and the GNSO Council, 
regarding the issues covered by the WHOIS Taskforce, as well as 
an opportunity for public comment. We think this is a strong 
development, and will certainly be a continued opportunity, not 
just for governments but other interested parties to have their 
views expressed before ICANN makes any decision on a formal 
change to its policies regarding WHOIS.
    Again, I thank you for inviting me. I look forward to any 
questions you may have.
    [The prepared statement of Mr. Kneuer can be found on page 
97 of the appendix.]
    Chairman Bachus. Thank you.
    Director Harrington?

  STATEMENT OF EILEEN HARRINGTON, DEPUTY DIRECTOR, BUREAU OF 
         CONSUMER PROTECTION, FEDERAL TRADE COMMISSION

    Ms. Harrington. Thank you, Mr. Chairman. Thank you very 
much. I am pleased to present the Federal Trade Commission's 
testimony this morning, which has been entered into the record. 
My statement and any questions that I provide reflect my views 
and not necessarily those of the full Commission.
    As my colleague mentioned, ICANN recently met in Morocco to 
continue its consideration of a proposal to narrow the purpose 
of WHOIS databases, and thus limit access to the useful and 
important information they contain.
    Because this is an issue of great importance to law 
enforcers and consumers, Commissioner Jonathan Leibowitz of the 
FTC, along with officials from several of our consumer 
protection and law enforcement allies from other nations, 
attended the ICANN meeting to speak about the importance of 
maintaining access to WHOIS databases.
    In the wake of the Morocco meeting, we understand that 
ICANN is re-evaluating its earlier inclination to adopt a 
narrower purpose.
    The debate over access to WHOIS databases raises at least 
four important considerations. The ability of law enforcers to 
access information about fraudsters who use Internet Web sites, 
the ability of consumers to know who they are dealing with when 
they engage in e-commerce, the needs of some private sector 
entities, including financial institutions, to access WHOIS 
data to serve important public purposes, and individual privacy 
interests.
    In the brief time I have this morning, I want to elaborate 
on the law enforcement, consumer, and business entity interests 
in retaining WHOIS access. I know the important privacy 
concerns will be addressed by members of the second panel this 
morning.
    The FTC makes frequent use of its authority to stop unfair 
and deceptive acts or practices to challenge a variety of 
Internet-related threats, including phishing, spam, and 
spyware.
    In these cases, our investigators face the sometimes 
daunting task of determining the identity of scoundrels who 
hide behind the electronic shield of the Internet. Sometimes, 
we unmask the wrongdoers by learning their identities and 
whereabouts from WHOIS databases, but even when scamsters 
provide false registration information, access to WHOIS 
databases provides invaluable leads.
    Scammers often provide the same or similar phony 
information for multiple Web sites involving several different 
schemes, and by having access even to that inaccurate 
information, we are able to develop evidence demonstrating 
critical linkages that ultimately can help lead us to the bad 
guys.
    Consumers also need to know who they are doing business 
with, whether online or in the bricks and mortar world, and 
continued public access to WHOIS data provides the information 
that can be essential to consumer confidence in the online 
marketplace.
    If consumers do not receive the goods or services that they 
have purchased, they need to know how to reach the vendor that 
they have done business with. We really cannot afford to take 
away the consumer confidence in the marketplace that access to 
that information provides.
    We know that phishing and identity theft are of particular 
concern to the committee, and they are to the FTC as well.
    Financial institutions are watchdogs, private enforcers, 
and sometimes victims of phishing schemes. They receive early 
warning from their customers who have received bogus e-mails 
from phishers, and they can warn their customers. They can 
sometimes bring private actions to halt the misappropriation of 
their good names and reputations, and when their customers fall 
victims to phishers, their reputations suffer.
    They, too, are among the private sector entities who need 
continued access to WHOIS registration information for 
commercial Web sites. Without it, the risks of identity theft 
add harm to consumers and can only grow.
    WHOIS databases are one source of valuable information for 
the FTC's work to protect U.S. consumers. There are other 
critically important tools that the FTC needs, however, to 
fight online fraud in the global marketplace.
    The FTC has previously recommended that Congress consider 
enacting the U.S. Safe Web Act, which passed the Senate in 
March of 2006. This act would make it easier for the FTC to 
gather information about Internet fraud from sources other than 
WHOIS databases, including our foreign law enforcement 
counterparts and financial institutions in the United States, 
and critically, we would be able to obtain information from 
financial institutions without tipping off the targets of our 
investigation to the existence of the ongoing law enforcement 
inquiry.
    We thank you for your attention to the FTC's interests this 
morning and look forward to answering any questions that you 
may have.
    [The prepared statement of Ms. Harrington can be found on 
page 82 of the appendix.]
    Chairman Bachus. Thank you. Mr. Hensarling, do you have any 
questions at this time? If you would like a few minutes, I 
could go ahead.
    Mr. Hensarling. I am happy to go now, Mr. Chairman.
    Chairman Bachus. Okay. Thank you.
    Mr. Hensarling. As often is the issue in the financial 
concerns of this committee, there is always a balance between 
our privacy and our security. I think this issue is re-
presenting itself here today.
    Mr. Kneuer, if the more narrow definition of the purpose of 
the WHOIS database was adopted, what precisely is going to 
change for law enforcement? How does their job become more 
difficult?
    Mr. Kneuer. I think it immediately becomes much more 
difficult, as Ms. Harrington was just mentioning, when there is 
evidence of malfeasance on an Internet site, whether it is 
financial fraud or child pornography or other forms of 
obscenity, whether it be the abuse and violation of 
intellectual property rights, the holders of those property 
rights and law enforcement can go to the site and find out the 
information.
    If the information is unavailable, the Internet potentially 
becomes an immediate safe harbor for a host of illegal activity 
that can be accomplished over the Internet without any recourse 
for law enforcement to really be able to track down the bad 
actors in an efficient way.
    Mr. Hensarling. Ms. Harrington, essentially the same 
question for you. How would the FTC be limited by this more 
narrow definition?
    Ms. Harrington. I agree with what my colleague just said. 
Specifically, there are hundreds of consumer protection and law 
enforcement investigations going on at any time at the FTC, 
investigations that often are spurred directly by complaints 
from citizens and consumers about harm that they have 
experienced.
    The immediate impact is to make it far more difficult for 
us to find the wrongdoers, and if we cannot find them, we 
cannot stop them. Most importantly, we cannot get money back 
for consumers who have been defrauded.
    Mr. Hensarling. If I heard your testimony correctly, you 
said something that struck me as a little bit curious, and I 
think I heard you say that even inaccurate information gained 
from the database can be useful by law enforcement.
    If I heard you correctly, could you elaborate on that?
    Ms. Harrington. Let me give you a good example. In a case 
that we brought several years ago in 2002 against a fellow 
named John Zucarinni; he had registered approximately 6,000 
domain names and most of those mimicked legitimate and popular 
Web sites.
    When consumers mistakenly entered onto his turf, their 
computers were hijacked, their browsers were hijacked, and they 
really lost control of their computers. It was a horrible 
situation that he caused.
    In that case, we used WHOIS to identify different domain 
names that were registered to him under different alias, and 
that inquiry enabled us to assess the extent--what turned out 
to be the very wide extent--of his bad acts. That was critical 
evidence in enabling us to go into Federal Court, get an order 
to immediately shut down all of his Web sites, and ultimately 
get a judgment for $1.8 million to redress consumers, and then 
we worked closely with criminal authorities who convicted him 
of criminal acts, and he served 30 months in prison.
    That evidence from WHOIS, even though it was inaccurate, 
was critical. It told us that we weren't dealing with some 
small potato operator, but this was a very large scam, and that 
evidence, in turn, was furnished to criminal authorities when 
we were finished with our civil case, and that helped them get 
a significant sentence against him.
    Mr. Hensarling. You also mentioned in your testimony the 
U.S. Safe Web Act.
    Ms. Harrington. Yes.
    Mr. Hensarling. On the other side of the Capitol, one of 
many pieces of legislation written by the other body that I 
have not gotten around to reading yet.
    Could you elaborate somewhat on, I suppose, the tools that 
you feel the FTC is missing today to effectively combat this 
type of fraud, and what are the tools that are provided to you 
under this act that you desire?
    Ms. Harrington. There are several basic abilities that it 
would give us to obtain and share information with our foreign 
counterparts. Right now, we cannot.
    In addition, a really important provision in U.S. Safe Web 
would enable us to go to court to get an order to shield--to 
protect information about a subpoena that we send to a 
financial institution so that the financial institution would 
not be required under other privacy acts to notify 
accountholders that they had received a subpoena from the 
Federal Trade Commission for information.
    Right now, very important investigations, the existence of 
them, can be revealed and sometimes is revealed by financial 
institutions to the targets. The effect that has is that when 
we seek in an ex parte proceeding an asset freeze on the assets 
of companies that are defrauding consumers, the assets are gone 
by the time we get there.
    It is really important.
    Mr. Hensarling. I see my time has expired. Thank you.
    Chairman Bachus. I thank the gentleman. Mr. Moore?
    Mr. Moore of Kansas. Mr. Chairman, I do not have any 
questions. Thank you.
    Chairman Bachus. Mrs. Maloney?
    Mrs. Maloney. I just want to say that 19 States, including 
my home State of New York, have responded to identity theft by 
enacting laws that allow individuals to restrict access to 
their credit reports whenever they feel it is necessary to 
prevent identity theft.
    Would that not help break down or stop what you are saying 
is the number one or the highest form, that identity theft 
comes ahead of any other consumer fraud complaint, accounting 
for somewhere between a third and a half of all complaints 
filed with the FTC?
    Would not this approach of just allowing file freeze by 
consumers on their credit--if they want someone to see their 
credit, then they can release it. It just seems that is the way 
to crack down on identity theft, which is really an incredible 
crime.
    We have many cases come to my office. Sometimes they think 
they even make up the numbers, but by the time they find out 
about it, their credit is ruined really for the rest of their 
life. They cannot really get it replaced. It is just a very 
difficult thing.
    I guess my question to you is what about file freeze? Would 
not file freeze work? It stops the thieves from getting the new 
credit?
    Ms. Harrington. We are right with you on the seriousness of 
the identity theft problem. Consumers now can put fraud alerts 
on their credit reports, which are a pretty effective hurdle to 
the issuance of new accounts in their names, and also give 
consumers pretty much real time information about who is making 
inquiries, and what is happening with their credit record.
    The freeze issue is an interesting one. I think we can 
argue certainly the pros, as you have very eloquently. One of 
the concerns with freezes, and when consumers ask us whether 
they ought to put a freeze on their account, we need to tell 
them also that what this means is they are not going to be able 
to access credit in the ways they often want to.
    I think it is a balancing act, really.
    Mrs. Maloney. Any other comments?
    Mr. Kneuer. Just to stress the importance of WHOIS data for 
law enforcement; it goes beyond just consumer protection. It is 
critical for law enforcement in a host of areas.
    The FBI feels strongly enough about this that they send 
representatives to ICANN meetings around the world to ensure 
that WHOIS data is protected.
    Mrs. Maloney. In late June, in Morocco, ICANN specifically 
stated that they would continue to provide access to law 
enforcement in adopting the new rules. Are you aware of this 
position?
    Mr. Kneuer. I think that reflects the view of the Board of 
ICANN that the views expressed by the GNSO Council were the 
views of one ICANN constituency, and that law enforcement 
remains a very important constituency as well, and that before 
they make any decision on a change in WHOIS policy, the views 
of law enforcement will be considered.
    Mrs. Maloney. At this forum, they said they would provide 
access to law enforcement. If law enforcement has access, does 
that affect your views? It seems that solves it if law 
enforcement has access.
    Mr. Kneuer. I would have to see the full text of the 
statement, but I believe that is a reflection of the fact that 
the current WHOIS policy and the current WHOIS procedures of 
ICANN have not changed.
    Law enforcement gets access through the publicly available 
searchable accurate WHOIS database. They do not intend to make 
changes that would adversely affect the ability of law 
enforcement to continue to have access.
    Mrs. Maloney. I think we all agree that law enforcement 
should have access. I think we can also agree that the 
widespread availability of personal information is clearly 
contributing to the problem of identity theft, which the FTC 
has reported as the top consumer complaint.
    Have you undertaken any studies to determine whether 
unrestricted access to WHOIS data might not actually contribute 
to the problem of identity theft and online fraud?
    Has the FTC looked at whether spammers are obtaining e-mail 
addresses and other contact information from the WHOIS 
database?
    Ms. Harrington. We are very concerned about protecting the 
privacy of individuals' personal information. That is why we 
have called for public access to registration information about 
commercial databases, not non-commercial databases. We strongly 
support continued public access to commercial information.
    We did a study. In Internet time, it is probably ancient at 
this point. It was done a couple of years ago. At that time, it 
did not appear to us that there was significant use being made 
by spammers of WHOIS data.
    More recently, I have read other more current work that has 
been done that suggests that may be becoming a problem, and it 
is something that I think we will be looking at again to update 
our older work.
    Mrs. Maloney. Have you contacted your colleagues overseas 
that are operating under privacy rules? Have you spoken with 
your colleagues in other countries about how the FTC could 
investigate fraud and still safeguard privacy?
    Ms. Harrington. Yes. People from the FTC are in very 
regular contact with our colleagues in other countries. As the 
private interests and laws pertain to WHOIS, it is our 
understanding that, for example, the position that we are 
taking on continued access to WHOIS registration information 
for commercial Web sites for the public is not inconsistent 
with those privacy laws.
    Chairman Bachus. Thank you. Mr. Pearce?
    Mr. Pearce. Thank you, Mr. Chairman. I suspect I would ask 
either one of you, how big a problem is the identity theft 
coming from the other side? I tend to fall on the side that if 
someone is seeking access to me to do business, that I ought to 
be able to have full access to information to them.
    What drives the concern on the other side? Is it based on 
fact or is it just the concern that we are going to give away 
information about Web site operators?
    I will let both of you take a stab at that.
    Chairman Bachus. Could I ask the gentleman to yield?
    Mr. Pearce. Sure.
    Chairman Bachus. I will ask unanimous consent to give him 
an extra minute.
    I think what Mr. Pearce has just said, I would like to 
associate myself with his remarks. What he said is if someone 
has assumed an identity and is contacting me over the Internet 
and telling me they are my financial institution or American 
Express or the Red Cross.
    We have a letter from the Red Cross that after Katrina, 
millions of people were contacted, and after the tsunami, 
millions of people were contacted, and told it was the Red 
Cross, and were given a Web site address to send contributions.
    As far as privacy, I think the privacy arguments are where 
Mr. Pearce says, with the consumer, who the identity of the 
person he is dealing with, he is being told it is his bank.
    I will say this. Even the FTC, which says we are going to 
give law enforcement these rights, but we are not going to give 
them to individuals, it is the individuals who are being 
contacted and ripped off.
    When you deny the individuals the right to know who they 
are dealing with and who is coming into their computer and 
communicating with them and corresponding with them, I think 
you take away a right that we have had on the Internet since 
this database started.
    They are now saying they want to make changes. It is a 
radical change that I do not think the American people realize.
    A bank robber could claim that taking his fingerprints is 
an invasion of privacy. I would equate these people who 
masquerade as my bank or as the Red Cross are criminals. 
Protecting their identity is sort of like protecting a bank 
robber's identity.
    Ms. Harrington. Mr. Chairman, if I could just clarify. The 
Federal Trade Commission supports full access by law 
enforcement to all WHOIS database registration, including--
    Mr. Pearce. That is not my question. My question is for me 
as a consumer.
    Chairman Bachus. Right. I think in his question, that is 
maybe what you missed. He is saying as far as privacy and as 
far as somebody communicating with me, if they are coming on 
and telling me they are somebody and I am opening up my 
database and I am giving them information, not only law 
enforcement, but this is an important tool that consumers have 
had.
    I hope that the FTC, in trying to compromise with WHOIS and 
ICANN, does not give away important rights of consumers.
    What Mr. Pearce is saying, when he deals with somebody over 
the Internet, they are asking him for sensitive information, 
and representing themselves as his bank or something.
    The fact that the FBI or the local police have a right to 
that information--
    Ms. Harrington. We agree. All of those examples that you 
have given would fall in the category of commercial Web sites. 
If someone is posing as your bank, someone is trying to collect 
money from you, that is information that we believe that you as 
a consumer, registration information, should have access to.
    We draw a distinction between commercial and non-commercial 
Web sites. On the non-commercial side, some have suggested a 
tiered access system. There is a lot of debate going on at 
ICANN about that.
    The concern is that if you as an individual have set up 
your own personal Web site for some non-commercial purpose, if 
you are a dissident living in some totalitarian regime and have 
put information on the Web site that could subject you to very 
serious consequences, should your personal information be 
widely searchable in a WHOIS database by anyone or not?
    That is where the personal--
    Mr. Pearce. That was my question. What is the whole 
question of personal privacy? If my granddaughter is on a Web 
site that begins to explore pieces of conversation with her 
that I would rather not have occur, that is not a commercial 
transaction, and yet I think, for myself, I would sit here in 
full transparency, there ought to be a click on every 
communication that allows you to go straight to and find out 
who it is that really is operating.
    I am wondering what drives the debate? You are talking, Ms. 
Harrington, about the debate being driven by privacy concerns.
    You are out here in a full operation requesting information 
from somebody, commercial or non-commercial, and I just believe 
that transparency is the better rule. Let's open it all up. 
Let's shine the light in there. I do not think there ought to 
be protections of any kind if you are out on the Web trying to 
get access to my house, my business, or my granddaughter.
    I do not understand that. Could you help me understand the 
legal concerns of privacy?
    Mr. Kneuer. If I might, sir. The U.S. Government's 
submission to the Government Advisory Committee of ICANN makes 
no distinction between commercial and non-commercial addresses.
    It is the view of the U.S. Government, like I said, the 
views of the State Department, the Justice Department, Homeland 
Security, the Commerce Department, the Patent and Trademark 
Office, the IRS, and the FBI, that there should be no 
distinction between the two of these, and for precisely the 
reasons you are talking about.
    I think Ms. Harrington's views from a commercial 
standpoint, the equities that the FTC is concerned with, is 
consumer protection in commercial situations. There are other 
significant Government equities that have broader concerns, the 
ones you mentioned.
    If a Web site is up that is not necessarily doing 
commercial transactions, it can be violating laws in a variety 
of different ways. It could be abusing intellectual property 
rights. There could be child pornography or other obscenity, 
where there is recourse to the laws.
    We do not make that distinction. We believe that the WHOIS 
database ought to be publicly available, accurate and 
searchable for all domain registrations.
    Mr. Pearce. Ms. Harrington, do you have any other ideas or 
comments on that? What would you say to a link on every 
communication on a Web site that takes you right to that?
    Ms. Harrington. To the registration?
    Mr. Pearce. To the Web site, let you know who it is that 
has set this particular site up.
    My wife serves on a bank board. Just recently people were 
intercepting communications intended for the bank, representing 
themselves as the bank. Actually, transactions were occurring.
    If that e-mail had access to whoever is originating, the 
consumer could click on it, take a look and say that is not my 
bank, this is somebody in Indonesia or somewhere.
    Ms. Harrington. I have not thought about that particular 
mechanism, Congressman. You raise indirectly another really 
interesting challenge in this whole area, and that is accuracy, 
which is something that the U.S. Government, including the 
Federal Trade Commission, has consistently raised as a concern 
in connection with WHOIS databases.
    We want to make sure that there is access to the 
registration information. We also want to make sure domain 
registrars do everything they can to ensure the accuracy of 
that information.
    Our experience is oftentimes people who are up to no good 
include in their no-good activity the providing of false 
information.
    Mr. Pearce. Thank you, Mr. Chairman.
    Chairman Bachus. Thank you. I appreciate your remarks.
    Congresswoman Kelly has been very active on this issue. I 
have been going back and forth. Mr. Moore?
    Ms. Kelly. Are you in the first or second round of 
questions?
    Chairman Bachus. Actually, he did not ask questions. Go 
ahead, Ms. Kelly. You have been a leader on this issue.
    Ms. Kelly. It certainly is the floor for Mr. Moore.
    Chairman Bachus. He is fine.
    Ms. Kelly. Thank you. I think the public's concern on a lot 
of this is the fact that on Web sites, when you log on to 
certain Web sites, there are things there that are down right 
errors. There is misrepresentation.
    Apparently, you are supposed to look at who has what Web 
site, if I understand. Is that correct?
    Once you do that informational piece to find out who has 
established a Web site, do you have any further duty to make 
sure that what is on that Web site is accurate?
    Mr. Kneuer. On the WHOIS database, to test the accuracy of 
that?
    Ms. Kelly. Right.
    Mr. Kneuer. The registrars are supposed to ensure the 
accuracy of it. Given the millions and millions of Web sites, I 
think it is one of the reasons it is important that it not just 
be law enforcement but consumers who have access, this really 
is a collaborative effort, whether it be law enforcement or a 
consumer who does the initial inquiry, if they see information 
that appears to be inaccurate or based on that information, 
they do a follow up and find it leads to a dead end, they can 
then report that problem, and the registrars can correct the 
problem or eliminate the Web page.
    Ms. Kelly. How would a broad consumer use change that?
    Mr. Kneuer. I think broad consumer use is what helps that 
process along. I think eliminating that broad consumer use 
makes it much more difficult for the registrars and others to 
maintain the accuracy of the database.
    There are limited resources for the ability to spot check 
and go through millions and millions of sites.
    Having the opportunity for consumers and for others to 
exercise their rights to get into the WHOIS database to follow 
up on that information is much more likely to uncover 
inaccuracies and uncover illegal or otherwise inappropriate 
activity.
    Ms. Kelly. Getting into that database, if I were a 
consumer, could I change information on the database at my 
will?
    Mr. Kneuer. No. Only the registrant can change the 
information by submitting it to the registrars, and the 
registrars maintain the database.
    If you go to one of the registrars and clock on WHOIS and 
you put in a field, I want to know who owns what site, that 
pulls up--you do not then have rights to edit that field. It is 
a read-only file.
    Ms. Kelly. Do you think that there is an adequate--that we 
have maximum data and you have so many different Web sites, 
what do you think is the best thing that you can do to make 
sure you get the maximum data security and consumer protection 
without harming the people who are likely to be using those 
sites, especially small businesses? That is one of my chief 
worries here. They do use the Web sites.
    Mr. Kneuer. I think transparency and consumer education. 
When I talk about consumers, I am not just talking about 
individual consumers, but businesses as consumers. As long as 
there is transparency in the process, more people are aware 
they have this tool at their disposal.
    If you are a small business and you are engaging in 
business online, you are trying to use the power of the 
Internet to leverage your small business nationally or even 
globally and in doing that, you are looking to find business 
partners, the more ability for those small businesses to access 
the WHOIS data to find out more about the potential partners 
that they may be looking at, too, I think the better for it.
    To the extent that the WHOIS data, as I said, is itself 
transparent, when you register a domain name, it is very clear 
that part of the deal is you are going to publish this 
information to the world. If you want to publish your Web site 
to the world, you are going to publish this information to the 
world.
    It is a deal that you make, and it is transparent. This 
information is not being publicized without the registrant's 
understanding that it is being publicized.
    Ms. Kelly. I'm going back to what I asked before. If the 
registrar registers the site, does the registrar ever go back 
and check to make sure that site has not been altered and 
changed in some way?
    The reason I am asking this is I logged onto a Web site 
which then automatically put me into a second Web site. This 
was a Web site that is used by private detectives and people 
like that. People can also get on the site, but when you pay 
through the second site to get more information, but logging 
onto the registered site took me immediately to a second site. 
That second site, when I was happy to pay, because I wanted to 
see what was on it, had misinformation.
    That is what concerns me. The transparency is great. 
Unchecked transparency can possibly lead to abuse. I am 
wondering if there is any kind of a screen there that can stop 
that.
    Mr. Kneuer. As far as the ability of a registrant to submit 
their WHOIS data and then to change it after the fact, I would 
have to get back to you. I believe those updates are made by 
the registrars, that you have to submit that to the registrar 
and have them make the change.
    I will get back to you for the record on whether or not I 
am correct in my understanding of the way that operates.
    As far as successive sites, when you get into a site that 
sort of scrolls down to other sites, you should still have the 
actual address of the site, even when you default into and you 
are redirected, the address should be there, should be visible 
and transparent to you, and then you can do a WHOIS search on 
that again.
    I certainly concede that is sort of the kind of thing that 
presents a challenge, not just to consumers, but even 
sophisticated users. It is not real clear sometimes unless you 
are really ever vigilant.
    I concede that is a problem.
    Ms. Kelly. Thank you.
    Chairman Bachus. Thank you. Let me first say, Mr. Kneuer, I 
would like to associate myself with your remarks in the 
dialogue. I think both of you recognized that there is a real 
key role for the consumers here.
    It is a role they are playing today. The status quo today 
is transparency. What this proposal would do is take rights 
away from consumers, everyone that uses the Internet.
    There are many legitimate rights that consumers have now, 
essential rights, to protect themselves, that if this proposal 
in my mind goes through, then yes, the commercial firms, your 
bank, they may have rights, and law enforcement may have 
rights, but the first line of defense, and Mr. Kneuer, you said 
this, the first line of defense ought to be the consumer.
    We say the consumers are responsible for protecting their 
own information. If we deny them a right that they have 
presently, this right to know the domain name and the identity, 
then we are denying them the ability to protect themselves.
    There are other things in your testimony that you talked 
about, Ms. Harrington. I was trying to find it here. You talk 
about how consumers now have the ability to resolve problems 
with online merchants directly through the use of WHOIS 
databases.
    They find out who it is and they resolve their problem. 
Government does not have to deal with it.
    You are talking about consumers and legitimate businesses, 
that if this changes, they are going to come to you and say we 
do not know who these people are, we have a complaint, you need 
to find out who they are. You are going to throw a whole lot 
more work on the Government and individuals, which they are 
doing now.
    You would throw a whole lot more work--I would just like 
you all to respond to that. I think you put the burden on the 
Government and law enforcement, the banks and the financial 
institutions, that consumers could legitimately say if this 
goes through, I no longer have the ability to resolve this 
myself.
    Ms. Harrington. Mr. Chairman, I think that is right, 
although I would hasten to add that we are here to serve 
consumers. We welcome their complaints. We hope they do not 
have problems, but when they do, we are in the business of 
serving them.
    I think an equal problem here is that consumers will lose 
confidence in this marketplace if they do not know who they are 
dealing with. I think that would have very serious 
implications.
    Chairman Bachus. In fact, we had talked about that on many 
occasions. Our policy, if they lose--when we talk about 
identity theft, we said it is very important for us and the FTC 
and law enforcement to act against identity theft because it 
diminishes the use of the Internet. It diminishes people's 
confidence in the Internet.
    To me, the more I look at this, the more I see it as a 
serious threat to confidence on the Internet, to know who you 
are dealing with.
    Mr. Kneuer, what is the relationship between the Department 
of Commerce and ICANN? It is my understanding within the ICANN 
organization, there is a weighted voting by different 
interested parties.
    Could you describe how that works and how it impacts the 
process? Does that weighted voting bias the process toward 
certain views?
    Mr. Kneuer. The relationship between the Department and 
ICANN is memorialized in this Memorandum of Understanding.
    ICANN is the private sector entity that was established to 
take over the management of the domain name system. It used to 
be a U.S. Government function, and a long history of the 
Internet going back to DARPA and its development as an U.S. 
Government network.
    The MOU is intended as a transitional document for us to 
provide some oversight over ICANN as they get themselves stood 
up and become a sustainable secure organization.
    As far as the weighted voting goes, that is not in the 
decisionmaking of ICANN itself. These are not final decisions 
of the Board of ICANN. These are in some of the subgroups of 
ICANN, the GNSO being one of them.
    When the GNSO was established, they determined that 
weighted voting to reflect different constituencies in that 
subset would be appropriate, so there is weighted voting in 
that Council, in that organization.
    That does not carry over into the final decisionmaking of 
ICANN. The Board of ICANN is elected and representative, and 
there are not weighted votes in final decisions of ICANN. It is 
in this subconstituency, this GNSO Council.
    Chairman Bachus. You mentioned GNSO. That states that the, 
``Current definition of WHOIS data is related to the service 
that provides public access to some or all of the data that is 
collected, and is not a definition of the purpose of the data 
itself.''
    That seems to me like a definition that believes the WHOIS 
database service, that their only purpose is maintaining the 
Web site, which there is another purpose, legitimate purpose; 
is there not?
    Mr. Kneuer. Absolutely. ICANN by its definition, by its by-
laws, is supposed to be a consensus driven organization that 
takes lots of different views. That is one view of the GNSO.
    It is clear the governments feel that there are different 
uses and different purposes for the WHOIS data. Consumers may 
feel very differently.
    The reason ICANN is organized the way it is, is so there is 
the ability to get the views of all of these different 
constituencies and all these different equities are represented 
and weighed going into it.
    While one subgroup may have one view, that is not 
reflective of the overall Internet community as a whole, and it 
certainly does not reflect the U.S. Government's position or 
the views of many other governments, as have been reflected in 
the Government Advisory Committee meetings.
    I think you will see much more of that, of the view that 
the purpose of the data should not be decided by any one group. 
The important thing is that the data is available, and you can 
make what use of it that you will.
    Chairman Bachus. I agree. I think ICANN actually ought to 
consider ways to protect the consumer and ways to protect an 
individual's privacy.
    I will just say this another way. It is almost as if there 
are all these essential legitimate uses that consumers are 
taking of the WHOIS data, and it is all of a sudden that ICANN 
wants to sort of put the genie back in the bottle and stop a 
lot of these, what we take for granted every day, as our 
legitimate uses of that data by consumers.
    Mr. Kneuer. I think that gets back to not having a narrowed 
definition of the purpose. For some varieties of malfeasance, 
whether it is consumer protections, the fraud, we want to make 
it stop and making it stop may be--you want to recover assets 
to the extent you can, but making it stop is the important 
thing. That is not happening anymore.
    Other areas of law enforcement have much different 
concerns, whether it is cyber security and cyber terrorism, or 
child pornography. You do not want to make it stop. You want to 
catch those guys.
    The more difficult it is for bad actors to hide behind 
inaccurate WHOIS data, the harder it is for them to continue to 
commit crimes on the Internet, the easier it is for law 
enforcement to pursue them.
    We need to reflect the broad interests and equities of the 
community as a whole and not be too focused on one constituency 
or another constituency.
    Chairman Bachus. I agree. In fact, it is almost, ``the 
public be damned.'' This is a better way, a more efficient way, 
to manage the system. If anything, the people who benefit are 
the people who are committing the crimes.
    Mr. Kneuer. Just to be fair as well to ICANN, the proposal 
from the GNSO has been submitted, but as the ICANN Board stated 
in Marrakech, and I would refer back to my testimony for the 
exact quoted language, they do not intend to make any decision 
to change the current status quo policy without having the 
opportunity of governments to give their counter view to the 
GNSO's narrow definition, without having the opportunity for 
the public to make their comments.
    The status quo today still exists. There has been no change 
in the policies or the procedures, and there will not be any 
changes until a broad cross section of interested stakeholders 
have an opportunity to make their views known.
    Chairman Bachus. I have talked to Secretary Gutierrez about 
this issue. A lot of people think it is just an arcane issue 
dealing with a technical issue.
    In fact, it has very serious implications and consequences 
for everyone who uses the Internet. It would change the status 
quo.
    Although my words may seem sort of harsh, if consumers are 
denied some of these rights, the consequences on them are going 
to be harsher still.
    I will close by just asking is the Commerce Department, and 
is the FTC, committed to watching out for the best interests of 
consumers, and are they committed to preserving consumers' 
present rights to the WHOIS data?
    Mr. Kneuer. Yes.
    Chairman Bachus. Ms. Harrington?
    Ms. Harrington. Absolutely.
    Chairman Bachus. Thank you. I think that is very important. 
I very much appreciate that.
    Does anyone want to ask any other questions of this panel?
    Ms. Kelly. Mr. Chairman, I just would ask the Commerce 
Department to work closely with ICANN, to try to make sure the 
information is absolutely as accurate as it possibly can be.
    Chairman Bachus. Thank you.
    Mr. Kneuer. We will certainly do that.
    Chairman Bachus. That is a good point, Ms. Kelly.
    Thank you very much. The first panel is discharged.
    Ms. Harrington. Thank you, Mr. Chairman.
    Chairman Bachus. Good morning to our second panel. Our 
second panel is made up of Ms. Catherine Allen, CEO of BITS/
Financial Services Roundtable. We welcome you.
    Also, Mr. Mark Bohannon, general counsel and senior vice 
president, Software and Information Industry Association, SIIA, 
and Mr. Marc Rotenberg, executive director, Electronic Privacy 
Information Center, EPIC.
    Ms. Allen, we will start with your testimony.

  STATEMENT OF CATHERINE ALLEN, CEO, BITS/FINANCIAL SERVICES 
                           ROUNDTABLE

    Ms. Allen. Thank you very much. Good afternoon, Chairman 
Bachus, and members of the subcommittee.
    My name is Catherine Allen, and I am the chief executive 
officer of BITS, part of the Financial Services Roundtable.
    I also want to acknowledge Congressman Pearce from my home 
State of New Mexico, where there are a few of us around.
    I am pleased to appear before you today on behalf of BITS, 
the Financial Services Roundtable, and our member financial 
institutions, with respect to the topic of a proposed change to 
the WHOIS database within the ICANN.
    Thank you, Chairman Bachus, for meeting with executives 
from Am South representing BITS earlier this year on this issue 
and taking such an avid interest in it.
    BITS is a non-profit industry consortium of 100 of the 
largest financial institutions in the United States. We are the 
non-lobbying division of the Financial Services Roundtable, and 
work as a strategic brain trust to provide intellectual capital 
and address emerging issues around operations and technology 
for the industry.
    Working groups share successful strategies and best 
practices for managing risks, reducing fraud, managing IT 
service provider relationships, and managing risks in the 
changing payments' environment, and work with the heads of 
security, heads of fraud, and heads of payment in these 
organizations.
    Financial institutions have always been a favorite target 
for perpetrators of fraud. Institutions have long answered this 
challenge with reliable business controls, advanced technology, 
information sharing, and cooperative efforts with the 
Government and law enforcement agencies.
    With the growth of the Internet and its fundamental role as 
the foundation of electronic commerce, including financial 
services, the role of ICANN and its significance has grown 
exponentially.
    It is therefore with great concern that our member 
institutions have become aware of the proposed change in the 
type of information to be collected and maintained in the ICANN 
WHOIS database.
    The WHOIS database, just as a background, is very important 
in that it has three types of information, and all three of 
these types of information are used when we work with law 
enforcement to track down fraud.
    The registrant contract, which includes those registered 
for domain names, IP addresses, who owns the name, who paid for 
the name, and the owner's name and address. Secondly, the 
administrative contact who you call for billing information. 
Again, their name, phone number, address, and the technical 
contact who may or may not be associated with that Web site, 
who specifies if there is a problem with the Web site and does 
the technical attributes.
    As part of their efforts to combat fraud, financial 
institutions are constantly watching for incidences of domain 
name fraud. Sometimes we call it cyber squatting or typo 
squatting. These are people that will create and register 
domain names that are very similar to financial institutions, 
but they might have one slight change to them. In some cases, a 
changed vowel or a changed name. In any sense, they look very 
familiar to the consumer and they think they are talking to an 
actual legitimate financial services company.
    In one case, one of our financial institutions found a Web 
site with a name that was identical to their own, except for 
the one vowel change. Going to the home page, they saw that it 
was not only an example of theft of intellectual property, but 
of course, they were trying to commit fraud against consumers.
    Using the registrant information from WHOIS, the financial 
institution in this instance was able to contact the Web site 
owner and send a cease and desist letter to have the site 
removed.
    One of the other key uses for the WHOIS database is for 
shutting down phishing sites. As part of investigating phishing 
incidences, financial institutions sometimes discover that a 
legitimate Web site has been taken over by phishers, without 
the Web site owner's knowledge.
    With cooperation of the WHOIS technical contact and the 
registrant's contact, and the hosting site, they were able to 
shut down a phishing site. Again, they needed at least two of 
the three kinds of information.
    In early 2006, a financial institution discovered it was 
being phished from a site in Taiwan. Efforts to have the Web 
site shut down using the technical contact information was 
unsuccessful. In fact, it took the full WHOIS information 
provided to the U.S. Secret Service and the Taiwanese police, 
who made local contact with the Web site owner and the ISP and 
got the phishing site shut down.
    These are just a few examples of the reasons that financial 
institutions and others who are combating fraud find the WHOIS 
database so important as a tool for fighting fraud and 
protecting the public.
    All of the WHOIS information is currently freely available 
to anyone with Internet access, and while it may be prudent in 
some cases to restrict some access, we do believe it needs to 
have what we call permissible access by all players--law 
enforcement, businesses, or people who have legitimate reason 
to try to track down for fraudulent reasons who owns this 
database.
    It is a matter of public confidence. We agree with the 
discussion that happened with the previous panel, that the more 
transparency there is, the better it is for all of us, 
including consumer access to this information.
    As you are aware, on January 18th, the ICANN WHOIS Task 
Force report contained two opposing formulations for the 
purpose of WHOIS. Under formulation one, which is severely 
restrictive and just a technical issues' configuration, we 
believe adoption of that would make it more difficult and time 
consuming for financial institutions to identify and stop 
domain based scams and identity theft and account fraud. It 
will also hinder our ability to respond to identity theft and 
phishing. Timely response to phishing attacks and identity 
theft is critical to protect customers, financial institutions, 
and innocent consumers.
    In most instances, many unsuspecting consumers are 
contacted by a financial institution to learn that they may 
have been a victim of identity theft and they may not have 
known it because a Web site had been set up in their name, 
which turns out to be a fraudulent Web site.
    Giving the consumers the opportunity to remedy the effects 
of the identity theft sooner rather than later is critical, not 
only to law enforcement, to the financial institution, but most 
importantly, to the consumer.
    Most innocent victims have been, and continue to be, 
extremely helpful to financial institutions in taking down or 
transferring these domain names to the financial institution 
that is the target or potential target of a phishing attack.
    Financial institutions need the WHOIS information to 
address all of the forms of fraud noted above.
    For these reasons, we have urged ICANN to adopt formulation 
two. Formulation two would provide financial institutions, law 
enforcement and others open access, continued open access, to 
the information they need to respond to identity theft and 
account fraud.
    It is our understanding that during the ICANN meetings in 
Marrakech, the decision to choose between formulations one and 
two was postponed for additional deliberation.
    On behalf of BITS and our financial industry, recognizing 
that the ICANN Board has the ultimate decision, we encourage 
Congress to strongly support the adoption of formulation two. 
Thank you for the opportunity to testify before you, and I will 
be happy to answer any questions.
    [The prepared statement of Ms. Allen can be found on page 
46 of the appendix.]
    Chairman Bachus. Thank you, Ms. Allen.
    Mr. Bohannon?

  STATEMENT OF MARK BOHANNON, GENERAL COUNSEL AND SENIOR VICE 
    PRESIDENT, SOFTWARE AND INFORMATION INDUSTRY ASSOCIATION

    Mr. Bohannon. Mr. Chairman, members of the committee, I 
appreciate the opportunity to appear before you today and 
testify on ICANN and the WHOIS database. I particularly want to 
thank you, Mr. Chairman, for your opening statement, which was 
very strong and very clear about the importance of this issue, 
and we want to continue to work with you and the committee to 
pursue the right policy here.
    My organization has been engaged in the issue of WHOIS 
policy for many years, primarily through our involvement in the 
Coalition for Online Accountability, which includes most of the 
major organizations and members of the copyright community.
    We see firsthand how the WHOIS database is a key tool to 
combat copyright and trademark infringement, cyber squatting, 
fight phishing attacks, as well as combat the pernicious 
effects of spyware and illegal downloads.
    In my prepared remarks, I document how I believe all 
Internet users, consumers, as well as leading groups such as 
TRUSTe and the Center for Democracy and Technology, who are 
committed to promoting privacy network security, depend on the 
WHOIS database, and I would ask that it be submitted for the 
record.
    I really want to focus on two issues in my verbal comments. 
One is I want to talk about why the proposed policy is 
misguided, and secondly, why we have to ramp up and step up 
efforts to make WHOIS reliable and accessible.
    When SIIA and other members of the intellectual property 
community heard about the move to restrict access in the 
purposes of WHOIS data, we were obviously greatly concerned.
    The formulation that was put forward, so-called formulation 
one, it is important to understand that it represents only a 
very, very small proportion of the current critical public 
interest uses of WHOIS data.
    In fact, virtually all the ways that WHOIS is now used to 
protect intellectual property rights, investigate cyber crimes, 
fight fraud and phishing and protect privacy online would in 
our view fall outside the scope of this definition.
    When the discussion became more broad, it was becoming 
quite apparent that the change would be devastating to 
businesses, consumers, and everyone who uses the Internet in a 
positive way.
    It galvanized many concerns about ICANN's stewardship of 
the WHOIS system. At the early stage, more than 50 
organizations, coalitions, entities, and individuals from over 
12 different countries filed comments with ICANN arguing 
against the narrow formulation of the purpose of WHOIS, and as 
I believe you, Mr. Chairman, pointed out, even the American Red 
Cross pointed out that it would have definitely have restricted 
their ability to go after the fraudulent Web sites that were 
trying to take money from citizens all in the name of helping 
those who were victims of Hurricane Katrina.
    After the Council vote in April, I would say an even more 
remarkable broader sector of business and other interests 
became quite concerned.
    I would like to submit for the record letters from diverse 
sectors, such as financial services, and hotel/lodging, as well 
as intellectual property and anti-counterfeiting groups.
    Chairman Bachus. Without objection, that will be allowed.
    Mr. Bohannon. Finally, Mr. Chairman, I wanted to directly 
acknowledge and thank you for your leadership. Your letter to 
Secretary Gutierrez earlier this year provided very important 
impetus and urgency to the development of a strong U.S. 
Government position going into the ICANN meeting in Marrakech. 
We want to thank you for that.
    We also want to take the opportunity to acknowledge the 
position that was presented by the U.S. Government delegation 
at the ICANN meeting. Fortunately, their view was reinforced by 
other governments that were in attendance, including the 
consumer protection authority in The Netherlands, as well as 
the representative from the Japanese Ministry of Information 
and Communications.
    While most of our discussion has really focused on public 
access and why that is critical, we also want to make it clear 
that it is essential, absolutely essential, to dramatically 
improve the accuracy and reliability of WHOIS data.
    The situation and the problem has been very well 
documented. In a study released by the Government 
Accountability Office last December, they estimated that the 
WHOIS data on over 5 million domain names in .com, .net, and 
.org, is either obviously false, incomplete, or simply could 
not be found.
    This high level of inaccuracy, in our view, significantly 
undermines the purpose, the role, and the value of WHOIS to 
consumers, to businesses, and to law enforcement.
    The GAO study also clearly shows that the system that ICANN 
put in place to address the problem simply is not working. GAO 
investigators submitted complaints about blatantly false data 
to the system, but after more than a month, the contact 
information had been corrected in only one quarter of the 
cases. At least half of the time, the phony data remained 
unchanged and the domain name remained as active and accessible 
as before the complaint was made.
    This hearing comes at a critical juncture in the 
relationship, in our view, between the U.S. Government and 
ICANN. As you know and as we discussed, the MOU between them 
ends on September 30th.
    When the Memorandum was renewed 3 years ago, ICANN pledged 
to take steps to improve the accuracy of WHOIS data. It also 
promised to put in place an enhanced system for ensuring domain 
name registrars and registries live up to their contractual 
obligations. That is making the WHOIS data publicly accessible 
and dealing directly with complaints about inaccurate data.
    We understand that ICANN believes that it has fulfilled 
these pledges under the MOU. Candidly, we do not agree with 
this assessment. While we believe ICANN has taken some steps to 
improve the system for receiving and processing complaints, 
ICANN's own reports show that the system does not work as it 
was designed to do.
    ICANN has consistently shied away from taking on the more 
difficult challenge of requiring registrars and registries to 
take proactive steps, any steps, in our view, to actually 
verify the information they are collecting to ensure that it is 
accurate and reliable.
    Mr. Chairman, as we look forward and ahead to working with 
you on how best to ensure that ICANN does not set off down a 
path that would lead to a reversal or substantial erosion of 
the long-standing policy regarding making registrant contact 
data accessible in real time without charge via the Web and 
without substantial restrictions on use, we thank you for this 
hearing.
    We think that the policies are in our national interest, in 
the interest of consumers and businesses worldwide, and in the 
interest of promoting the healthy growth of the Internet as a 
safe place to work, to play, and to do business.
    [The prepared statement of Mr. Bohannon can be found on 
page 69 of the appendix.]
    Chairman Bachus. Thank you.
    Mr. Rotenberg?

  STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
                   PRIVACY INFORMATION CENTER

    Mr. Rotenberg. Thank you very much, Mr. Chairman. I 
appreciate the opportunity to testify today. I ask that my 
complete statement be entered into the record. I will summarize 
for you the key points.
    Chairman Bachus. Without objection, all of the panelists' 
full written testimony will be entered into the record.
    Mr. Rotenberg. Thank you, Mr. Chairman.
    My organization, the Electronic Privacy Information Center, 
EPIC, has been involved in the WHOIS debate pretty much since 
the beginning. I, myself, am also the former chairman of the 
Public Interests Registry, which manages the .org domain. We 
developed, in fact, one of the best WHOIS practices, we 
believe, of any of the domains operating on the Internet.
    I am here this morning to present a view on behalf of 
consumer organizations and non-commercial users of the 
Internet, which is very much in support of the effort that 
ICANN is currently making to protect the privacy of Internet 
users.
    I need to be clear about this point. I believe there was 
some confusion on the first panel as to what the consumer 
interest is regarding unrestricted and unaccountable access to 
the WHOIS database.
    Under the current ICANN policy for WHOIS, anybody who has a 
connection to the Internet can go to this database and get the 
personal contact information of anyone operating a Web site, a 
political organization, an arts organization, a human rights 
organization, a group of hobbyists who have set up a Web site 
possibly in their living room or their basement--any person can 
get access to that information and use it for any purpose.
    That means that under the current ICANN policy, which the 
other panelists appear to favor, the person who is committed to 
fraud and spam and phishing has the exact same right of access 
as the law enforcement agent or the consumer protection 
official who is investigating crime.
    This is clearly not a sensible approach to protecting the 
interests of Internet users.
    The problem is so serious, in fact, that as the other 
panelists have noted, identity theft has become the number one 
consumer complaint in the United States.
    What did the Federal Trade Commission urge consumers to do 
to protect themselves against this crime? They said be very 
careful about putting your personal information on the 
Internet, because it is your personal information, your home 
address, your telephone number, and your e-mail address, that 
makes it possible for others to commit types of fraud and crime 
against you.
    ICANN, taking into account the growing concern about 
identity theft, while recognizing that law enforcement will 
need access to investigate crime, has appropriately decided to 
revise their policies for access to the WHOIS database.
    The chairman of ICANN, Mr. Twomey, and the various interest 
groups participating in this process, have not objected to law 
enforcement access. That is not what the debate is about.
    The debate is about whether there should be appropriate 
safeguards to ensure that the millions of individuals who 
provide information when they register an Internet domain will 
not find that their personal information is being improperly 
disclosed to others.
    Just to make very clear how serious the link is between the 
unrestricted access to WHOIS data and the problem of phishing, 
which I gather to be a central concern of the hearing this 
morning, the top phishing investigation and prosecution that 
was pursued in the United Kingdom was against an individual who 
took advantage of access to e-mail addresses that he could 
obtain from the WHOIS Directory to commit the type of financial 
crime that the other witnesses this morning are understandably 
concerned about.
    It is our view that a sensible and effective approach to 
the use of WHOIS data is one that will allow people who 
register Internet domain names to protect the privacy of their 
personal information. It will still be made available to the 
registrars. We are not saying contact information should not be 
provided. We do believe it should be provided, but we think the 
circumstances under which it should be disclosed should be 
limited to appropriate and legal circumstances.
    There is a very simple analogy here, Mr. Chairman, and that 
is, of course, the driver's license and driver's record 
information that all of us provide to the State DMV's as a 
condition of the right to drive a car on a public roadway.
    We make this information available to the Government, and 
the Government needs to make use of that information oftentimes 
to investigate crime and theft and accidents.
    We would not say that the information in the State DMV 
databases should be widely available to the general public for 
any purpose it might choose. In fact, the Congress has wisely 
chosen on several occasions to protect the privacy of just that 
type of information so that it is not improperly used.
    My point is simply this. If we protect the privacy of the 
information that is collected to register an automobile and it 
can still be accessed for law enforcement, for appropriate use, 
should we not similarly protect the privacy of the information 
that is provided to register a Web site?
    It will still be available for appropriate use, but we do 
not want it widely available to the public. It is contributing 
to the problem of identity theft.
    Thank you.
    [The prepared statement of Mr. Rotenberg can be found on 
page 103 of the appendix.]
    Chairman Bachus. Thank you, Mr. Rotenberg.
    My question is simply going to be, Mr. Bohannon, Mr. 
Rotenberg gave a different view from the first panel or Ms. 
Allen and you.
    Would you respond to his arguments? Are they valid? How do 
you deal with that?
    Mr. Bohannon. Mr. Chairman, of course, Mr. Rotenberg and I 
have worked on a number of things together. Sometimes we agree. 
Sometimes we do not agree. I think on this one, we do not agree 
on either the nature of the potential problem that he was 
describing, much less the overall balance that is trying to be 
struck here.
    Let me try to address--if I miss a point, let me know.
    Chairman Bachus. I will give Mr. Rotenberg the right to 
respond.
    Mr. Bohannon. I think the question no one on this panel is 
arguing is that there are not real problems to address with 
regard to identity theft and how we combat that. I think in 
this Congress we have seen lots of discussion of that across 
the board.
    The question is whether the kind of information regarding 
the kind of entities that are on the WHOIS database in fact 
contributes in any way, much less in a meaningful way, to 
identity theft, fraud, and anything else. With all due respect 
to Mr. Rotenberg, I do not believe the evidence is there.
    In fact, if you look at the kind of registrant technical 
and administrative data that is on WHOIS, registrants, in fact, 
their e-mail address are not publicly available. The only thing 
you have to put as a registrant is your name and postal 
address. Technical and administrative contacts, that is 
different.
    When you are talking about the actual registrant, we are 
not talking about the kind of information that would be 
associated with identity theft and leading to those kinds of 
things.
    Our view is that the overall balance to be struck here is 
when my member companies get thousands of complaints in an hour 
that they are getting fraudulent e-mail and being directed to 
deceptive Web sites. What within minutes or hours can companies 
do to shut those down and give their customers confidence that 
they can do business?
    At this point, there is no silver bullet. WHOIS becomes an 
essential step in combating that. If we were to rely only on 
law enforcement, we believe that it would dramatically hinder 
our ability to go directly and help our customers when they are 
being confronted with these kinds of attacks. It simply cannot 
be done in minutes or hours.
    As you know, Mr. Chairman, our organization has a long 
history of working in a public/private partnership with law 
enforcement to combat cyber crimes, intellectual property 
theft. They do great work, but they cannot operate within 
minutes or hours like our security offices and our customer 
relationship folks are required to do.
    Chairman Bachus. Thank you. The WHOIS data, are you 
disputing that it is being used today to protect consumers and 
to advance confidence in the Internet?
    Mr. Rotenberg. I believe it is being used in both ways, Mr. 
Chairman. I believe that the WHOIS data can be useful to 
investigate certain types of activity. I think you have to be a 
fairly sophisticated user to use the WHOIS data for that 
purpose, because a person who intends to commit a crime online 
is usually pretty good at concealing their actual identity, and 
that includes the information they would provide for the WHOIS 
database.
    Chairman Bachus. Would you restrict some of the present 
rights that consumers have?
    Mr. Rotenberg. I am encouraging an approach that ensures--
it is the consumers' information, by the way, that is being 
disclosed. There are two sides to this coin.
    Chairman Bachus. If you operate a Web site and if you 
communicate with someone and give them that Web site, then they 
have a right, but if you didn't want them to have that 
information, you just simply would not communicate with them; 
is that right? Wouldn't that solve your problem?
    Mr. Rotenberg. That could be.
    Chairman Bachus. You obviously have some motivation for 
communicating with that consumer.
    Mr. Rotenberg. You may also be a non-commercial entity. As 
I said, there are many people who register Internet Web sites 
for non-commercial purposes. There are many human rights 
organizations, I should point out, that have found that the 
Internet is the most effective way they have for expressing 
their political views and trying to bring democratic reform to 
some of the governments in this world that need reform.
    They are concerned that if their personal information were 
made available to the governments in which they are operating, 
they would be at serious personal risk.
    If I may, Mr. Chairman, because I know other witnesses had 
asked that certain information be entered into the hearing 
record, on this particular point with Mr. Bohannon, I would 
like to ask that an article that my staff found be entered into 
the hearing record.
    This concerns the spammer in the United Kingdom, if I could 
just read two sentences.
    It begins, ``Britain's most prolific spammer, currently 
behind bars and facing a number of charges, has also just been 
fined 81,000 pounds.''
    It goes on to say he, ``Used Nominet's WHOIS database to 
send out fraudulent domain name renewal invoices under the name 
of Domain Registry Services.''
    He had access to the WHOIS data, which made it possible for 
him to commit the fraud.
    Chairman Bachus. Is that the only case you are aware of?
    Mr. Rotenberg. I am sure we could find many more, sir. I 
just thought it was remarkable. He is the most well-known 
spammer in Great Britain.
    Chairman Bachus. You would agree there are literally 
thousands, or tens of thousands, of examples of people who have 
misrepresented their identity to consumers and thereby 
committed identity theft or entered into fraudulent practices?
    Mr. Rotenberg. Yes, sir. We certainly support those 
prosecutions. As I said, we have worked with the Federal Trade 
Commission and encouraged prosecutions of fraud that does 
jeopardize the interests of consumers.
    We do believe that the interests of consumers are also 
jeopardized when their personal information is made available 
online.
    Chairman Bachus. Since this WHOIS database was set up, 
since day one, consumers have had this information that you are 
now advocating be withheld from them; is that right?
    It's a change to the status quo.
    Mr. Bohannon and Ms. Allen are basically arguing for the 
status quo, and as I understand it, you are arguing that the 
consumers' right to know be limited.
    You have given as a legitimate reason the protection of the 
privacy of the Web site operators.
    Am I wrong?
    Mr. Rotenberg. From our perspective, Mr. Chairman, the 
consumer right here is the ability to control the disclosure of 
their personal information.
    Chairman Bachus. Are the Web site operators, I would say 90 
percent--it is my understanding you are limiting the right of 
consumers to get that information which they presently have. Am 
I right?
    Mr. Rotenberg. We would certainly allow access for 
appropriate purposes, as I mentioned at the beginning. I was 
chairman of the .org domain. We are the third largest generic 
top level domain name. There are millions of people who 
register .org domain addresses. Many of them are for non-
commercial purposes.
    Chairman Bachus. Thank you. Mr. Bohannon? I'm sorry. My 
time has expired. Mrs. Maloney?
    Mrs. Maloney. Thank you. I would like to ask all of the 
witnesses. I think we all agree that access to the database can 
be useful, but can also be a tool for identity theft.
    Why not segregate the most sensitive information and keep 
that private so a consumer might still be able to see who 
contacted them, but might not get the sensitive personal data 
that could allow them to set up a fake account in their name?
    Could you respond to that? In other words, limiting the 
amount of information. You can get a name but not the address, 
so you cannot use that sensitive information.
    Ms. Allen. Maybe I will start by responding. I think when 
we are talking about access to the WHOIS database, the only 
sensitive data is their name, address, telephone number, and in 
the case of the administrative contact, their e-mail, but there 
is no financial information that is available.
    As the financial industry, we are looking to be able to 
track back who owns a Web site or maybe the genesis of an e-
mail that may be used for phishing to go capture that 
information from a bank or from consumers.
    In the WHOIS database, there is no sensitive data other 
than the name, address, and e-mail of who owns that database.
    Mrs. Maloney. Any other comments?
    Mr. Bohannon. I think it is important to understand that, 
in fact, the WHOIS database is already carefully balanced to 
make sure that sensitive information like billing information 
the registrars get from the registrants, that is clearly not 
put on the Web sites. I think we need to recognize that is 
already a limitation.
    I will reiterate my point from earlier, which is you will 
not find the sensitive information of registrants on WHOIS. You 
will find their name and postal address. What you will find is 
contact information for either technical or administrative 
contacts. In that context, the Nominet example, I think, is 
very useful. It was a very well-publicized case about 2 years 
ago.
    The system worked. The individual was engaging in illegal 
spam. Illegal because the registrar accreditation agreement 
that ICANN has in place precludes use of the information for 
precisely the kinds of activities the gentleman in the Nominet 
situation was engaging in.
    Our view is that ICANN needs to do more to enforce those 
agreements, to make sure that the limitations on WHOIS data 
that already exist are meaningful and are not abused.
    When we hear the word, ``individual,'' we need to be 
careful here. What was involved in almost 99.9 percent of those 
cases were individuals who were not there as consumers, but 
individuals who were there in a corporate capacity.
    Take me, for example. I have my name and e-mail address on 
our Web site. Is that me as an individual? Yes. It is me in my 
capacity representing my members. That is, in fact, the kind of 
information that this gentleman used, and to reiterate, he 
engaged in violation of existing ICANN policies, and we think 
ICANN should be doing more to make sure those policies are 
enforced.
    Mr. Rotenberg. I think what you have outlined is, in fact, 
a sensible and effective approach that many organizations and 
experts and Government officials who are participating in this 
process at ICANN hope will result.
    As the other witnesses have indicated, this policy is still 
under discussion and a number of different approaches have been 
put forward. I think there has been very good input.
    I believe that a sensible solution is one that will 
restrict access to personal information and still leave some 
point of contact for accountability and investigations when 
appropriate.
    Mrs. Maloney. I would like to ask each of you whether you 
agree there should be different standards for accessing WHOIS 
depending on whether an Internet registrant is commercial or 
non-commercial.
    Mr. Rotenberg. I will say on this point that I know the 
Federal Trade Commission has proposed this distinction. I think 
there is certainly some support for this.
    A business that holds itself out should be accountable and 
there should be a point of contact for a business, and we 
wouldn't necessarily have the same expectation for a non-
commercial entity on the Internet.
    I think as a broad solution to the WHOIS issue, as my 
testimony suggests, there will need to be a point of contact 
for all registrants.
    One approach may be to allow proxy registrations so that 
individuals, for example, will have a buffer, if you will, so 
that it is still possible to reach someone when necessary, but 
they won't be directly exposed online.
    Mr. Bohannon. I think the discussions that are underway 
about the subject are very helpful, and we are participating 
actively in them.
    Congresswoman, I think at this stage, there is little that 
provides comfort that this could be put into place either 
operationally or from a practical point of view.
    I think even the FTC has acknowledged in its statement that 
until those are resolved, everything should be publicly 
accessible, and that there needs to be more information 
gathered.
    Let me just say that the question of commercial versus non-
commercial is a tricky one. My organization, SIIA, is a 
501(c)(6). Technically, we are a non-profit under the tax laws.
    Am I therefore a non-commercial entity who should have my 
information restricted? That makes no sense whatsoever, since 
we are actively engaging and holding ourselves out to the 
public, even though we do not pretend to make a profit.
    I think you need to be very careful about the language of 
non-commercial and commercial when in reality, entities, 
individuals, organizations that are using a publicly available 
Web site to promote themselves, to engage in education, and to 
do other things, are holding themselves out to the public.
    I think one point that has been missed, if I could just 
take a second, if an individual wants, for political or other 
purposes, to be able to communicate in a meaningful way, 
getting a Web site, in my humble opinion, is probably the last 
thing you want to do.
    There are lots of ways you can do it through blogs and 
others that are not registered at the top level domain that I 
think can be doing exactly the kind of things Mr. Rotenberg 
talked about, but which avoid, I think, some of the points that 
are being made.
    Quite frankly, if I were engaging in political dissidence, 
the last thing I would want is a Web site. I would want to 
figure out how to use an appropriate proxy service or something 
else, and those are all provided under very clear rules under 
the ICANN.
    This notion that Web sites are nothing, I think we need to 
get pass that in terms of addressing some of the communication 
issues that have been discussed here.
    Mr. Rotenberg. Could I respond to that?
    Mrs. Maloney. Absolutely.
    Mr. Rotenberg. I am actually really struck by Mr. 
Bohannon's comment. I find it extraordinary that an association 
that represents leading technology companies in the United 
States would discourage political speakers from taking 
advantage of the Internet and establishing Web sites.
    Mr. Bohannon. I am sorry. That is not what I said. That is 
incorrect.
    Mr. Rotenberg. I believe that is exactly what you--
    Mr. Pearce. [presiding] Could the gentlemen suspend?
    Mrs. Maloney. Ms. Allen, if you would respond to the 
commercial and non-commercial.
    Ms. Allen. I would. We draw no distinction. In fact, we 
support the Department of Commerce's position, and believe in 
transparency. A lot of it has to do with going after the bad 
guys.
    BITS just had a conference last week on anti-money 
laundering. We were looking at the growth of fraud on the 
Internet and concerns about the bad guys, and the correlation 
that has with the charities that sometimes are fronts for 
terrorism groups, and that they are using that as one of the 
ways that they do funding.
    I think it is important that we have transparency and that 
it could be a not-for-profit or a for-profit or an individual 
who has a Web site that may be a bad guy, and we want to be 
able to have access to that.
    Mr. Pearce. The gentlelady's time has expired. I would 
request unanimous consent to enter into the record a statement 
by Lynn Goodendorf. She is the vice president for information 
privacy protection for the Intercontinental Hotels group, and 
then also a letter from Mr. Fred Becker, Jr., National 
Association of Federal Credit Unions. Without objection, those 
will be entered into the record.
    Mr. Rotenberg, on page six of your testimony, you declare 
that governments are trying to crack down on human rights 
groups by extending identification requirements for Internet 
users.
    I suspect that is something you would object to.
    Mr. Rotenberg. We do, sir. We work with human rights 
organizations all around the globe. We are particularly 
concerned about those organizations that are pursuing 
democratic reform--
    Mr. Pearce. Sir, if I can go ahead and ask you the 
question. What position did you all take when Google went ahead 
and decided to cooperate with China?
    It is my understanding they were providing information on 
who searched the word, ``democracy,'' who searched for words.
    What did you all publicly do? What did your organization 
say about that publicly? What was your position?
    Mr. Rotenberg. We took no formal position and we were not 
asked to appear before the committee that held the hearing on 
this issue. We did express our opposition to Google's support 
for the Chinese based search engine, .cn.
    The practice impact of that search engine is to restrict 
access to information on the Internet that the Chinese 
Government does not want the Chinese people to receive.
    We did not support that.
    Mr. Pearce. You took no public position, but you are taking 
a public position now that would provide consumers with access 
to information? Am I characterizing that accurately?
    Mr. Rotenberg. Sir, I would be happy--
    Mr. Pearce. I am asking a question. You are taking a public 
position on restricting access to consumers. Is that your 
position?
    Mr. Rotenberg. We do not believe we are restricting access 
to consumers.
    Mr. Pearce. If I could then go to page three of your 
documentation, you quote from the Public Interest Registry 
that, ``As the Internet and the number of its users has grown, 
the justification for making WHOIS data publicly available is 
no longer applicable.''
    Did you quote something you did not believe?
    Mr. Rotenberg. I do. I very much support that statement.
    Mr. Pearce. My position still stands. It appears that you 
are supporting restricting access to consumers, but you are not 
unwilling to speak to Google publicly when they identify people 
for the government of a fairly repressive regime.
    I really want to get my feet underneath me as far as your 
positions are concerned.
    Mr. Rotenberg. I certainly appreciate the question, and if 
I can clarify my response, I apologize if I have not been 
clear.
    We were opposed to what Google did with respect to the 
search.
    Mr. Pearce. You did not take a public position, right?
    Mr. Rotenberg. To the extent that we were asked our views, 
that is what we said. As to the public availability and the 
statement from the Public Interest Registry, which we cite in 
our statement, we think it is an excellent point that was made 
in support of WHOIS privacy.
    Mr. Pearce. Can I ask you, in that same quote, ``As the 
Internet and the number of its users has grown, the 
justification for making WHOIS data publicly available is no 
longer applicable,'' how does it affect privacy concerns if we 
affect the privacy of more rather than fewer, the logic of that 
position is a little bit untenable. It seems like we would be 
interested in protecting the privacy of even a single 
individual, yet the quote specifically states now that the 
number of people is larger, now we have cause for concern and 
we are going to take a position.
    I am not following that logic.
    Mr. Rotenberg. I believe the point that is being made in 
the statement and is one that is generally understood at the 
ICANN, is when the data was originally available, it was to 
technologists for the technical purpose of maintaining the 
security and stability of the Internet.
    What has happened over time because it is more widely 
accessible to more people, it is creating new privacy risks 
that did not previously exist.
    That is why we have the problem of identity theft and 
phishing and spam.
    What the Public Interest Registry is expressing here is the 
recognition, which I believe ICANN is agreeing with, that in 
this environment, the unrestricted access to personal 
information poses new privacy risks.
    Mr. Pearce. I had asked the previous panel if it were 
possible if all Web sites had a link straight to the WHOIS 
database. I suspect you would be opposed to that.
    Mr. Rotenberg. I think it could be helpful for consumers 
who are dealing with businesses online.
    Mr. Pearce. No, I did not ask about businesses. I said, 
``all.'' It goes back to the discussion about my granddaughter, 
what Web sites might be misleading my granddaughter.
    I think there would be a very good reason to have the 
capability for a parent to go in and check to see who exactly 
is talking to a daughter in non-commercial means.
    You would oppose that?
    Mr. Rotenberg. I would be concerned that the same policy 
might be applied to a Web site that your granddaughter would 
choose to create on the Internet. I think she would have a 
privacy interest in protecting--
    Mr. Pearce. If my granddaughter wants to go on the Internet 
and begin to represent herself as someone, I think she should 
be responsible enough to be asked who she is and where she is 
located. I do not fear that at all. It is part of transparency.
    Mr. Baca, it is time for you to ask questions.
    Mr. Baca. Thank you very much. Let me ask all three of you 
just a simple question at the very beginning, and you can just 
answer it yes or no.
    Dealing with identity theft, it seems like individuals now 
can obtain any kind of information, more information, using the 
Web sites and the Internet. It has become a serious problem 
because some people may give out a little bit more information, 
so therefore, they have access.
    Is that true? Just for the record, yes or no?
    Mr. Rotenberg. I would say yes, it is a risk when people 
make more information available online. It can be misused.
    Mr. Bohannon. I am not sure I understand your question, 
Congressman.
    Mr. Baca. Right now, since we have a lot of identity theft, 
is there a probability that now more individuals are at risk 
because they are using the Web sites, they are using the 
Internet, that they are giving out a lot more information, so 
therefore, other individuals may have access to that 
information? Yes or no? Just a simple yes or no.
    Mr. Bohannon. I apologize. The question you are asking is 
of course, way beyond the scope of this hearing. I am trying to 
make sure I give you--
    Mr. Baca. We are talking about theft, fraud, the Internet.
    Mr. Bohannon. If I make more information available online 
or offline, yes.
    Mr. Baca. Thank you.
    Ms. Allen. The answer is yes, and right now, more identity 
theft comes from off line, from dumpster diving, than online.
    Mr. Baca. Thank you. The next question is what steps can 
consumers take to protect themselves against phishing, which is 
number one? This question is for Mr. Rotenberg.
    Is there a one-stop-shop of information that I can refer 
them to?
    Mr. Rotenberg. The main advice we give to consumers is to 
know the Web sites that they are dealing with, and to limit the 
amount of personal information they provide, but when they do 
run into trouble, we encourage them to visit the Web site of 
the Federal Trade Commission, the Privacy Rights Clearinghouse, 
and also the Identity Theft Resource Center, all very good 
resources for consumers.
    Mr. Baca. Thank you.
    Mr. Bohannon. I think Mr. Rotenberg outlined a number of 
very important steps. The other thing that virtually every 
company that does business has developed is a means to get from 
their customers examples.
    I, for one, use a very popular online payment service 
personally. I send to spoof@ that entity so many times a day 
that I think it helps them keep up with what is going on.
    I think it is very important in addition to the examples 
that Mr. Rotenberg talked about, to be in direct contact with 
the company that you are doing business with so that they know 
and they can tell you whether or not it is legitimate or not.
    Mr. Baca. Ms. Allen?
    Ms. Allen. The same thing, consumer education and knowing 
who you are doing business with.
    Mr. Baca. My next question is is there some kind of 
educational program that we could put out to our consumers 
right now? All three of you suggested some ideas. The problem 
is that many of our consumers are not aware there is this 
information that they could access or go through.
    How can they find out information, or is something we 
should be doing even here at the national level, developing 
some kind of educational consumer awareness?
    Mr. Rotenberg. I think the Federal Trade Commission has 
done some good work in this area. I think the businesses are 
also doing a fairly good job trying to encourage consumers to 
learn more about doing business online.
    Part of the problem, Congressman, is that things are 
changing very quickly. Technology is changing quickly. 
Businesses are changing quickly. A year ago, no one had heard 
of MySpace. Today, it is the number one Web site. It has a big 
impact on the privacy of our children.
    It takes a lot of time and effort to stay up to date with 
these developments.
    Mr. Baca. One other question. A lot of us, under the 
identity theft and fraud that is going on, a lot of us sit 
home, it doesn't matter who we are, and get a lot of the 
telemarketers who call us almost on a daily basis. Now, at 
least we have developed a block number so we can block some of 
those out.
    Is there a computer type system available where we can 
actually block some of this out? That is where a lot of the 
identity theft and fraud also occurs, and I don't know if our 
consumers are aware if there is some type of a system that is 
available that can block out, like we do block out numbers. 
Right now, anybody can get into the Web site, the Internet, e-
mail.
    Is there such a system that is being developed, and if 
there is, some of us need to be educated. Maybe I am not aware.
    Mr. Rotenberg. Congressman, as you indicated the Do Not 
Call legislation was extremely successful. There were more than 
100 million consumers who signed up for that. It did reduce the 
amount of telemarketing and the phone calls at dinner time.
    There have been proposals since for a Do Not E-Mail list, 
but it is not clear those would be effective. Most of the 
efforts to restrict the amount of spam that consumers receive 
are working forward on the technology front and not so much on 
the legislative front.
    Mr. Baca. Could you elaborate? Why would it not be 
effective? You said it may not be effective?
    Mr. Rotenberg. There are many reasons. One of them is that 
e-mail addresses can be imprecise. They can change. It can be 
difficult to identify the originator of an e-mail 
communication. It is also very inexpensive to send millions and 
millions of e-mails.
    It turned out that it worked, the Do Not Call list worked 
particularly well for telemarketing because of the structure of 
the industry and the ability with legislation to limit some of 
the more invasive practices.
    Mr. Pearce. The gentleman's time has expired. Ms. Kelly?
    Mr. Baca. Could I have Mr. Bohannon's answer?
    Mr. Pearce. One moment, Ms. Kelly. We have one more answer.
    Mr. Bohannon. Again, Mr. Rotenberg and I often agree on 
many things, and this is one. I would just refer to the 
Congressman and the committee a very thoughtful study that was 
done by the FTC in response to Congress on this very question, 
where they identified not only many of the practical issues 
that Mr. Rotenberg identified, but you can imagine a hacker--a 
hacker would spend every night for a year trying to figure out 
how to hack this database.
    A, he knows or she knows they are legitimate e-mail 
addresses. If he ever gets ahold of them, he could spam 
everyone in the world.
    I think there are a number of issues that come up with a 
registry like approach and Do Not Call, but the other point I 
would add to the very thoughtful comments is I think there are 
some good tools out there to help you in managing some of this. 
They are not perfect. Some of them are my members.
    I do think it is important to know the tools that are out 
there, keep them up to date, and know how to use them so you 
become as sensitized and are as aware of what is trying to get 
to you, both good and bad.
    Mr. Baca. As we do that, we have to simplify it for some of 
us who are not technology connected. It needs to be very 
simple.
    Mr. Bohannon. I can tell you some suggestions. I am not 
allowed, of course, to promote particular products here.
    Mr. Pearce. Thank you. Ms. Kelly?
    Ms. Kelly. Thank you very much, Mr. Chairman.
    You three were in the room when I was asking a question of 
ICANN and the Commerce Department. My question to you is do you 
think the Commerce Department ought to require ICANN to carry 
out random audits of the register and the WHOIS data 
procedures?
    Let me start down at the other end, Mr. Rotenberg.
    Mr. Rotenberg. Thank you, Congresswoman. I think audits 
could be helpful, if you were trying to encourage accuracy, but 
I also think that our privacy safeguards would encourage 
accuracy.
    One of the reasons that people provide inaccurate 
information or incomplete information is because they 
understand that it will be widely available to anybody, 
including stalkers, spammers, and phishers.
    I think the Department of Commerce, which has an 
understandable interest in promoting accuracy, could advance 
that goal through support for better privacy.
    Mr. Bohannon. Thank you for your question, Congresswoman. I 
think it is our view that, as the MOU is reviewed and ICANN's 
commitments under the MOU are evaluated, I think those kinds of 
concrete things that ICANN under the existing arrangement has 
set out to do to improve accuracy and reliability need to be 
clearly documented, and I think as the MOU is renewed and 
reviewed, there may be a need to get more specific in terms of 
the Department of Commerce's expectations, and I think audits, 
random audits, is one example.
    Ms. Allen. I agree there could be more that ICANN does in 
terms of positive reinforcement, proactive audits. There is 
more that others in the community, such as ISP's, could do, 
that could also help to stop the fraud.
    Also, by having transparency, there is a self-policing 
effort, the fact that as consumers and/or businesses see there 
are fraudulent sites, report them and help to shut them down. 
That is part of the process as well.
    Ms. Kelly. I noticed in some of the testimony, you were 
talking about the privacy of users and not the accuracy of 
information.
    One of the questions I have is whether or not there should 
be a procedure in place of some sort so that people can appeal 
to the registrar on something that is a decision, some sort of 
a registrar decision on not to act on a false WHOIS data that 
is reported to it, because the registrar can make that choice 
right now.
    It looks to me as though there is no penalty attendant to 
misinformation or to privacy theft at the present moment, in 
terms of whether or not the registrar acts.
    I am wondering if we could again start with you, Mr. 
Rotenberg.
    Mr. Rotenberg. I think for the most part, the registrars 
have tried to stay out of the role of enforcing accuracy 
requirements. I think it could certainly be in the context of 
RAA's, which is the agreements that the registrars sign to sell 
the domain names, to impose accuracy requirements is one way to 
accomplish that goal.
    As I said, I still think the privacy safeguards would work, 
because individuals would be less likely to provide inaccurate 
information.
    Ms. Kelly. For anyone to plead a right to privacy, people 
need to remember there is no right to privacy on inaccurate 
information.
    Mr. Rotenberg. Congresswoman, if I may give an analogy, to 
the white pages and the phone books. I used to look at those. I 
was interested in how people protected their privacy in a very 
similar directory. A lot of people do not list their home 
address. A lot of women give a first initial instead of the 
complete first name.
    You can say that is incomplete maybe, not inaccurate, but 
it is clearly done with the goal of protecting privacy.
    I think some of that happens with the WHOIS directory as 
well.
    Ms. Kelly. That is not misinformation. That was my point.
    Mr. Rotenberg. Okay.
    Ms. Kelly. Mr. Bohannon?
    Mr. Bohannon. I think you are asking a very important 
question, Congresswoman. I think our view is that 3 years ago, 
ICANN made very specific commitments in these areas.
    I think in my prepared remarks, I am very clear that while 
ICANN believes it has met those commitments, we feel they have 
really come up short.
    They, in fact, did implement a process called the WHOIS 
data problem reporting system. It was supposed to address many 
of these questions.
    As the GAO study found, it simply is not proving effective. 
The GAO found that less than a quarter of the complaints they 
filed--that they intentionally submitted and filed--were taken 
care of, and much of the misinformation or inaccurate 
information was never corrected.
    Our view is that we have a framework in place. Let's make 
sure it is effectively enforced by ICANN and we do not have to 
go out and re-invent the wheel. Let's get the existing system 
working right. I think that does require some responsibility on 
the part of ICANN to do that.
    Ms. Kelly. Do you think that penalties of some sort imposed 
by the Commerce Department might be of benefit there?
    Mr. Bohannon. I think my view is what we need to do is get 
ICANN to recognize that in its role, it needs to be in direct 
relationship with the registrars and use that relationship.
    It needs to find, I think, a creative way, other than just 
de-certifying the registrar, which quite frankly right now is 
the only thing they can do. That may be too much of a response. 
We need to find some gradations here.
    We are prepared in working with the registrars and all the 
communities of interest to find appropriate ways so that we can 
make these realistic commitments enforceable and workable and 
to everyone's interest.
    Ms. Kelly. Thank you. Ms. Allen?
    Ms. Allen. I wanted to distinguish between misinformation 
or inaccuracies with criminal intent, which I think that is why 
we want law enforcement and financial institutions to be able 
to have access to this information, to go after those players.
    It is the second part of it, misinformation, that may be 
from marketing or a misrepresentation from a business point of 
view, but looking for responsibility in enforcement. There are 
some mechanisms in place that ICANN has not lived up to, and I 
think that is something that needs to be communicated in the 
contracts and MOUs.
    Ms. Kelly. Thank you very much. My time is up, Mr. 
Chairman. Thank you.
    Mr. Pearce. I thank the gentlelady. The Chair notes that 
some members may have additional questions for this panel, 
which they may wish to submit in writing.
    Without objection, the hearing record will remain open for 
30 days for members to submit written questions to these 
witnesses, and to place the responses in the record.
    I thank the witnesses from both panels. With that, this 
hearing is adjourned.
    [Whereupon, at 2:02 p.m., the subcommittee was adjourned.]




                            A P P E N D I X



                             July 18, 2006


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

