[I invite PFIR to reply. --Declan] -------- Original Message -------- Subject: An open letter to PFIR on DNS WHOIS Date: Tue, 22 Jun 2004 21:09:11 -0400 From: Tom Cross <tom@private> To: lauren@private, neumann@private, dave@private CC: declan@private, whois-tf1-report-comments@private An open letter to People for Internet Responsibility on Access to DNS WHOIS Data Mr Weinstien, Mr. Neumann, and Mr. Farber, Shocked, awed, and appalled. Thats the only way that I can express how I felt when I read PFIR's Statement on Access to WHOIS Data. (http://www.pfir.org/statements/whois-access) Lauren Weinstein, Peter Neumann, and David Farber are three men who have provided sharp and insightful leadership to the internet community for years, and are well known, well respected, and well read by just about anyone who cares deeply about technology issues. I do not always find myself agreeing with your various opinions, but never have I seen any of you express ideas so caustic to the values that I hold dear, and so lacking in thoughtful balance, then those expressed in this essay. Its like I've walked through the looking glass. Anonymous Speech is a RIGHT, not a privilege. This point has been reaffirmed over and over again by almost 230 years of American jurisprudence of which you surely must be aware. The Federalist Papers, published anonymously, are so fundamental to our system of government that every high school student is required to study them. The Supreme Court has repeatedly defended anonymous speech, and frankly, I cannot express this point more clearly then Justice Stevens did in McIntyre V. Ohio Elections Commission (1995): "Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority. See generally J. S. Mill, On Liberty, in On Liberty and Considerations on Representative Government 1, 3-4 (R. McCallum ed. 1947). It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation--and their ideas from suppression--at the hand of an intolerant society. The right to remain anonymous may be abused when it shields fraudulent conduct. But political speech by its nature will sometimes have unpalatable consequences, and, in general, our society accords greater weight to the value of free speech than to the dangers of its misuse." We cannot relegate political speech on the Internet to second class citizenship. The "extremely limited set of cases where domain holders might demonstrate a clear public safety or other critical need that may possibly justify masking of some WHOIS data" is the set of ALL political websites on the Internet. The Internet presently supports a vibrant ecology of political websites and weblogs of every flavor and prejudice. Together they constitute a meaningful discourse on nearly every issue of the day. A large portion of these sites employ WHOIS proxies or publish limited contact information. It is easy, even in the United States, to find examples of individuals who have been the target of violent retaliation because they have expressed their political views. Consider, for example, the recent case in San Francisco of a gallery owner who was assaulted because of a political artwork she put on display: http://tinyurl.com/27wvb If maintainers of political websites and weblogs are forced to offer up their personal contact information in order to hold a domain name, then these speakers will not hold domain names. Political speech on the internet will be a secondary activity occurring on shared hosting sites and multi-partisan discussion boards with no easy reference points for like minded communities. In other words, political speech will be put on the back burner, and the Internet will have less impact in the political domain then it otherwise would. You guys are barking up the wrong tree. DNS WHOIS is NOT the right tool for investigating security incidents on the Internet! To be sure, DNS WHOIS is a convenient place for organizations to voluntarily publish contact information, and that information is helpful when it is present, but security incidents do not come from domain names, they come from IP addresses. IP addresses are not always associated with registered domain names. Often they are associated with subdomains, or not associated with DNS at all. IP addresses can be resolved in the numbering authority's WHOIS database for the contact information of the ISP providing service to that address. Security and reliability issues relating to internet traffic can and should be dealt with through ISPs. There are significant problems with the accuracy and resolution of the numbering authority WHOIS systems, and some ISPs have poor abuse and incident response policies. Unlike the difficulties with accurate DNS WHOIS data, these are manageable problems. ISPs have the resources to maintain accurate contact information and full time incident response contacts. We simply need to put appropriate policies in place to improve practices. This is a much more realistic goal then getting everyone in the world to keep their DNS WHOIS data up to date all the time. Why are we spending so much time talking about DNS WHOIS when fixing IP address WHOIS is the best, and easiest way to improve the security and reliability of the Internet? You guys are standing along side corrupt interests. A large number of the people who are advocating accurate DNS WHOIS data have absolutely no interest in the security or reliability of the Internet. They are not trying to find a way to contact people because of technical issues. They are intellectual property holders and they want every website to have a public address where they can serve threats of prosecution should they decide that the contents of the website in question offend their interests. These people do not want to comply with the due process that our legal system affords defendants in such cases because its expensive, and because it means explaining their claims to a judge. They don't want to deal with ISPs for similar reasons. Frequently, as I'm sure you are aware, legal threats are sent out which have absolutely no basis in law. The individuals who receive them often have to comply because they simply don't have the resources to defend themselves even if they are in the right. Consider the archives at http://www.chillingeffects.org/ How much time should be required between, for example, the appearance of forged e-mails or wider Internet postings containing libelous materials, false accusations aimed at ruining reputations or causing massive financial loss, vs. the ability of the aggrieved party to start discovering who is behind the attack before reputations or even entire organizations are massively damaged? EXACTLY the amount of time that a COURT needs to deliberatively balance the interests of both parties to the dispute. Not every party who claims a grievance is in the right! We have a process in the United States that allows an aggrieved party to prosecute a John Doe defendant and obtain access to that defendant if their claim is reasonable. We even have facilities for accelerating the usual processes if the circumstances are extenuating. To build an alternate structure with the intent of short cutting these processes is to do an end run around our democratic system of government! These are not technical security and reliability issues. These are content issues, and they should be dealt with through the legal system, not through ICANN. I strongly urge you to carefully reconsider your position on this matter. Tom Cross Just an ordinary unknown computer geek. _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2b30 : Thu Jun 24 2004 - 11:43:02 PDT