Safeguarding Podcast – WhoIs the Problem? With Rick Lane, Iggy Ventures

By Neil Fairbrother

In this Safeguarding Podcast with Rick lane of Iggy Ventures we discuss how the mismanagement of the internet causes online harms, how it’s been made so opaque that no one can understand it, what the US Government could do to sort it out and whether the EU’s GDPR is a threat to US national security.

https://traffic.libsyn.com/secure/safetonetfoundation/SafeToNet_Foundation_Podcast_-_WhoIs_the_problem_with_Rick_Lane_Iggy_Ventures.mp3

There’s a lightly edited transcript below for those unable to use podcasts, or for those that simply prefer to read.

WhoIs the Problem? Diagram designed with the help of Rick Lane, Iggy Ventures

Welcome to another edition of the SafeToNet Foundation’s safeguarding podcast with Neil Fairbrother exploring the law culture and technology of safeguarding children online.

Who owns the internet? Is there an owner and should they be responsible for online child safety and if so, what could they do to protect the most vulnerable of our society? Or is the internet out of control and has it become a safe Haven for fraudsters, gangsters and predators? And if so, is there any hope at all for the rest of us?

Today’s guest will guide us through a web of complex contracts, opaque organizations, and seemingly dodgy deals and explain how we’ve ended up with what we have. Welcome to the podcast again, Rick Lane of Iggy Ventures. This is the second interview that we’ve had with you so thank you for that. Can you give us a brief resume please, to remind our audience from around the world of your background?

Rick Lane, Iggy Ventures

Thanks, Neil. Thanks for having me back again. So I obviously didn’t mess it up the first time, so thank you. But yeah, my background very briefly is I’ve been involved in basically almost every major internet tech policy issue here in the States since 1988, when I worked up on the Hill when it was known as the “Information Super Highway”. I worked on the 96 Telecommunications Act, the Digital Copyright Act, I worked at a law firm, worked at the US Chamber of Commerce. I was their first Director of e-Commerce internet technology policy starting back in 1999. And then after that for 15 plus years, I was the Senior Vice President of Government Affairs for News Corporation, which then became 21st Century Fox.

Neil Fairbrother

And you had an involvement with MySpace I believe?

Rick Lane, Iggy Ventures

I did. We bought MySpace, Rupert [Murdoch] and NewsCorp bought MySpace in about 2008 and I was the point person for MySpace on both the domestic and then the international side working with some of my colleagues. But when we bought MySpace, I said to my ultimate boss, I said, “Thank you for the job security, you have no idea what you just bought” with all the issues that were happening around it, including the most important issue, which is how do we protect our users from harm.

Neil Fairbrother

Okay. Now last time we spoke we covered Section 230 in some detail. Before we embark on today’s episodes, a quick question for you on that. Has the change in President from Trump to Biden had any impact on Section 230?

Rick Lane, Iggy Ventures

Not really. I mean, there’s the focus of bias versus you know, some of the issues that are happening online, but the ultimate issue of should Section 230 be modified or even repealed has actually grown stronger since the election because of everything that has occurred. There was a hearing a couple of weeks ago in the House of Commerce committee, a joint subcommittee hearing on 230 with the CEOs of Google and Facebook and Twitter. And this time it was the most unified I have seen members of Congress on both sides of the aisle and the bi-partisan way, raise strong concerns and raise the need to reform 230. So now the fundamental question is how do we change it? And do we go too far, or can we do it in a way that makes sense and ensures protection of children online but also holds the platforms accountable for their conduct.

Neil Fairbrother

Okay. Well, we’ll look forward to the outcome of that with a great deal of interest, because it will have an impact globally. But today we’re discussing how the internet is managed and the implications of that management, or indeed mismanagement, for online safety. The Washington Post recently published an interesting five-layer model, which represents the internet and it’s actually a good reference point for this discussion. Starting at the top of their model they have platforms. What do they mean by platforms, Rick?

Rick Lane, Iggy Ventures

Well, before I start talking about the world of ICANN, it reminds me of [the film] The Matrix when Morpheus first met Neo, and he asked him if you want to take the red pill blue pill. And the quote is great, because what he says is “…this is your last chance. After this, there’s no turning back. You take the blue pill, the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember all I’m offering you, is the truth, nothing more.

And that is sort of where we’re going to start off with the stack and how it works. As you mentioned, the Washington Post did a very good infographic on what’s known as the “internet stack”. The internet stack includes the platforms, which we all know, Google, Facebook, et cetera.

The you have Cloud Services, like Amazon and Microsoft, AWS.

Then you have the Content Delivery Networks, CDNs as they’re called, which provides delivery services like video streaming. So you think of CloudFlare and Vimeo and things like that.

Then you get to the lower level of the stack, which is the Domain Name Registrars. So Domain Name Registrars are like GoDaddy or Domain Name Registries which are Verisign, which most people in the world have never heard of.

And then you have the Internet Service Providers at the core which in the US are the Comcasts of the world.

Neil Fairbrother

We’re focusing on the Domain Registrar layer. And in that layer, there are Registrars, Registrants, as well as Registers. What is the difference between those three groupings?

Rick Lane, Iggy Ventures

Sure, we’ll start from the consumer facing side, which is the Registrant. The Registrant is the individual who actually registers a new domain name. So if I want IggyVentures.com I am the Registrant of IggyVentures.com.

The Registrar is GoDaddy, which is the more retail facing side of getting a new domain name. You send your money in and you sign up with GoDaddy.

The Registry is Verisign for dot com and dot net. They control the management of the dot net and dot com and they have a relationship with GoDaddy. So you have the Registrant buying it, the Registrar selling it and the registry basically being the wholesaler of what is known as a Top Level Domain, a GTLD, like dot com, dot net, dot org.

Neil Fairbrother

Okay. And why exactly do we need a domain name? It may sound like a very basic, fundamental question but what’s their purpose?

Rick Lane, Iggy Ventures

Sure. It’s actually one of the greatest innovations of, you know, what happened in the internet standard setting. Basically, the way the internet works is a series of numbers or IP addresses, and those IP addresses are just numbers. So if it’s at Iggyventures.com, it would be like a series of numbers and then dot com. Well, people can’t remember numbers, it’s just like trying to remember everybody’s phone number. So what they created was the ability of having names and using letters to directly attach to that “phone number” that routes people to your website. And so this made it an easier functionality to better navigate and to create a presence on the internet.

Neil Fairbrother

And the most common ones such as dot com and dot net are owned by Verisign. Is that correct?

Rick Lane, Iggy Ventures

Well, actually, they’re not owned by Verisign. There’s actually 2000 GTLDs approximately now out there. There’s also country codes. So a country code would be a dot UK or dot US, which are used within countries and controlled completely by the countries themselves. Some of those country codes are actually used by the private sector. So dot TV is a country code, dot IO is a country code.

There is a lot of options out there, but the reality is that the dot com and dot net are like gold and silver, if we think of minerals, out there. Everything else is worthless for the most part, but through ICANN there have been opportunities to create your own what we call “dot whatever” after the dot. So there is a process in place to do that. It hasn’t really moved the dial, 70% to 80% of the websites that have been created are dot net or dot com.

Neil Fairbrother

Okay. You mentioned ICANN there, and I mentioned Verisign. How do these organizations relate to each other?

Rick Lane, Iggy Ventures

Back in the day when all this started, the internet was basically a contractual creation out of the National Science Foundation, it was used for research. The contract when they started dot com and dot net and dot mil, there was a company called Network Solutions, and they had a contract with the National Science Foundation. Over time the National Science Foundation handed that obligation to the Department of Commerce with the continuation of Network Solutions. Network Solutions was bought by Verisign, and now Verisign basically manages dot com and dot net on behalf of the US Government.

Neil Fairbrother

Okay. And where does ICANN fit into that arrangement?

Rick Lane, Iggy Ventures

In 1998 the Clinton administration had an idea to privatize the management of the internet backbone. And so the idea came that they would create a nonprofit entity, at the time called NewCo, that would ultimately manage the TLDs, the Top Level Domains that are out there, the GTLDs and then have the ability to create new GTLDs and that nonprofit became what is known today as ICANN.

Neil Fairbrother

Okay. So the management of this previously was done by the US government. Is that what you’re saying? And that was then put into private hands?

Rick Lane, Iggy Ventures

Yeah, it was all based on cooperative agreements and contracts, and these contracts created basically a triangle between the US government and Verisign, the US government and ICANN, and between Verisign and ICANN, and that kind of created the triangle at the beginning of the internet. And then you had other outside entities, like the Internet Society that was created, because ICANN doesn’t just manage the domains. This is also the place you go to create the standards of the Internet Protocol.

Neil Fairbrother

Okay. The Internet Protocol being IP, the IP address, IP version four, IP version six, which is like the telephone numbers, correct?

Rick Lane, Iggy Ventures

Correct. Encryption was one of the issues. And we can talk about this later, DNS over HTTPS is an encryption standard. So basically the technical standards of the internet and how it operates is all done within the ICANN structure.

Neil Fairbrother

Okay. Now there is a thing called “WhoIs”. Listeners to our podcast may have heard of this in a previous episode, we are going to go to a little bit more detail here. So what is WhoIs, and what relationship does WhoIs have with your domain name that you’ve bought from your local domain name registrar?

Rick Lane, Iggy Ventures

Sure. There had already been in existence a database to help manage who actually had signed up for different domain names, like, you know, for dot com for example. And so there was this idea that you would have, people like to call it like a phone book. I disagree with that analogy. I look at it as more like land records, you know? Who actually has control over that land and manages that land on behalf of an entity.

So the idea back in 1998 was to have, a WhoIs database and the issue of WhoIs became a critical issue for trademark owners and cybersecurity experts, as well as child protection groups. And the question was, should it be dark, or should it be accessible?

Neil Fairbrother

What do you mean by dark?

Rick Lane, Iggy Ventures

Should it be accessible by anybody on the internet to find out who who is on the other side of the screen who is the entity that has a control of a website or a domain name?

Neil Fairbrother

Okay. So if I in the UK wanted to buy Neilfairbrother.com, the theory is that all of my details, name, address so on would go into the WhoIs database so that people could track down the owner of the website, Neilfairbrother.com.

Rick Lane, Iggy Ventures

Correct.

Neil Fairbrother

Okay. That sounds like a reasonable plan. What happened?

Rick Lane, Iggy Ventures

It does. And the idea behind it was really consumer protection and the WhoIs database from a consumer protection side is critical to know who is on the other side of a website that is collecting your information.

You wouldn’t go into a store that has no markings at all. You always want to know who owns that store that you’re going into, because if you have a problem with that store, who are you going to contact? And especially here in the United States, you know, if you have a business, you have to file with the State, you have to file with your local governments. You have to file with the US you know, the IRS for tax purposes. By buying land here in the United States, you know, there’s an ownership. I can go to the land records, and it has all the information about who owns the land.

And those are all consumer protection tools that are used by here in the States, by the Federal Trade Commission and consumer protection agencies, it’s used by the Justice Department, it’s used by cybersecurity experts. So the WhoIs, is really a consumer protection mechanism to ensure that you’re not being fleeced by someone who you can never track down.

Neil Fairbrother

Okay. And what is the problem then with WhoIs?

Rick Lane, Iggy Ventures

So the problem started from the very beginning. There has always been a debate about the accessibility and accuracy, you’re supposed to have accurate information in Who is database. So there was a controversy between so-called privacy advocates. One is a cost centre to maintain the WhoIs database, and they don’t like that. But second, it allows their competitors to see who their customers are. They don’t like that, but in fact, in 98, they said that’s actually a consumer benefit, so you can have competition in the domain name space.

And the other is it creates potential liability for them, because if they don’t know who is on the other side, who is the entity that is creating harm online, then they don’t have any type of responsibility to take any action, because they will say to you, we don’t know who it is. We can’t do anything, go to law enforcement. And then law enforcement tries to get the information and they can’t get it because it always is dark. So it’s a very vicious circle.

Neil Fairbrother

So the WhoIs database is supposed to fulfill a role. It’s supposed to contain accurate information about who is buying domain names. That’s not happening and the result is all sorts of issues that many of us will be familiar with; phishing for example, DNS attacks, which may need a bit of explaining, and of course, CSAM distribution and storage. So what is phishing, what are DNS attacks? And I guess we’ll need to explore what CSAM is, although many people will know what that is anyway.

Rick Lane, Iggy Ventures

Yeah. One thing that people don’t realize is that all the attacks on online have to start from a domain name. So if you have a phishing attack, which is you get an email from an entity that looks like it’s legitimate then that comes from a domain name, that comes from a registered domain name. It has to, because it has to be routed from point A to point B. This doesn’t [just] appear in your in your mailbox.

Same with when you click on a link that has malware, right or a download. If you visit a site that has malware on it, that link on that site is derived from a domain name that has been registered at a registrar and ultimately controlled by a registry.

So every type of attack that we have online for the most part originates from a domain name. And so that is a critical tool that if you want to block sites and links and things from a cyber security standpoint, you want to know where they’re coming from, or who’s behind them, you’re getting back to who is behind them. And the WhoIs database is a critical tool in that effort which has been documented by law enforcement agencies and cybersecurity experts domestically and internationally.

Neil Fairbrother

Okay. Now these organizations, so ICANN seems to be kind of at the top level of these organizations, Verisign has a contract with ICANN, and then all the various domain name registrars such as GoDaddy or 123Reg. So the organizations that we the public would deal with, the domain name registrars, they have contracts with Verisign. So if I want to buy a domain name, neilfairbrother.com, I would go to a GoDaddy or 123Reg style organization, and I’d buy it from them. They have a contract with Verisign and Verisign has a contract with ICANN and my understanding is that these contracts say that you must maintain an accurate and open and transparent WhoIs database, is that correct?

Rick Lane, Iggy Ventures

Yes, that is. The registry agreements, the RAs and the RAAs depending on which part you’re in yeah, absolutely stipulate that you’re supposed to have an open accessible WhoIs database. It’s the foundation of the internet when you created your registry, you know, you sign a contract. And these contracts, by the way are, were created through the multi-stakeholder process of ICANN and have gone through a lot of reviews.

Now, there’s people who don’t like them because it mandates that there should be an open and accessible and accurate WhoIs but the reality is that that’s what you signed up for once you decided to become a registry or a registrar. And in fact, when you’re a registrar it’s in your terms of service that you’re supposed to provide accurate information to the registrar when you’re signing up.

Neil Fairbrother

Okay. Now I believe also in these contracts that ICANN and Verisign have the power to shut down organizations that do not provide this information, is that correct?

Rick Lane, Iggy Ventures

The way the contracts work is that there are termination provisions within these contracts all the way through that if you are doing something that is in violation of these contracts so that you can be terminated. So the registrant, their domain name be shut down by the registrar and the registrar itself, if it’s in violation of the contracts with the registry. So if GoDaddy’s in violation and not doing what it’s supposed to be doing under the contracts, just like any other contract that someone signs, they can be terminated. And there is a process, but the contract is pretty clear. And the contract between the registry and ICANN is very clear that ICANN can terminate ultimately these contracts based on violations of the contractual obligations.

Neil Fairbrother

The reason that we’re focusing on various sites in this instance is partly because they were in the Dirty Dozen list from NCOSE, which was published fairly recently. And the reason they were there is because most child sexual abuse material is stored in dot com and dot net domain names. So why is ICANN not taking issue with Verisign about this issue?

Rick Lane, Iggy Ventures

Well, there’s a lot of conversations going on within the ICANN community on what is known as Domain Name System Abuse, DNS Abuse, that deals with these types of issues and ultimately who should be responsible. What is actually domain name abuse, and definitions? And we’ve been having this conversation for 20 plus years. It’s actually ridiculous because there are definitions of DNS Abuse especially around CSAM and other areas that these entities should be taken part of.

Why ICANN hasn’t done anything? ICANN is completely funded by the registries and registrars. That’s where they get all their money.

Neil Fairbrother

So if ICANN were to shut down Verisign, if that’s the right terminology, they would be shutting down their revenue?

Rick Lane, Iggy Ventures

Yeah. What would normally happen would be that ICANN would put out to bid the dot com contract, which has never actually happened, and saying that they have failed to [meet] their obligations. And then put the contract out to bid, to manage dot com or dot net.

That’s part of this problem that some of us have come to realize is that if ICANN likes to say that they are not a regulator of content or pricing for that matter, they’re not a regulator. That’s why I said that to you at the beginning, that there is no regulation for this it’s all contractual obligation. But they try to hide behind, well, we can’t tell if content is legal or not legal, that’s not our role to regulate content.

So you get into this vicious hamster wheel or circle and us saying, well, they should take responsibility and the contracting parties saying, we’re not going to take responsibility, even though it’s clearly from our point of view in the contracts. But the reality we don’t have privity in those contracts. So if ICANN isn’t willing to enforce their contract with Verisign, the registrars and their registrars aren’t willing to enforce their contracts with the registries and and the registries aren’t willing to enforce their contracts with the registrars, there’s nothing we can do. We have, at this point, no legal leverage to try to insist and make them enforce the contracts that they’ve all signed.

Neil Fairbrother

What is the relationship between ICANN and the US government?

Rick Lane, Iggy Ventures

ICANN was created by the US government, it’s a nonprofit that is based in California, and everything was started by the US government and its actions to create this nonprofit. Over time there was a provision when the Clinton ministration created this, that ICANN would not have any direct contractual relationships with the US government. And so over time, they were given more and more authority, sort of, you know, slowly taking them off their training wheels.

The last one was known as the Diana and that occurred during the President Obama administration. So ICANN, although there is one last contractual relationship between ICANN and the US government, but the contract now, or the cooperative agreement now is between the US Government and Verisign, the one that most people know about.

Neil Fairbrother

Okay, what does that contract mean? D does it mean that the US Government could mandate that Verisign takes action against the domain registrars that aren’t providing a complete WhoIs database?

Rick Lane, Iggy Ventures

Yes, I could have. They absolutely could have negotiated the deal with Verisign to put into place and require these types of actions, but they chose not to, and it’s not a contract. It’s what ICANN and Verisign and parts of the US government and others have created is really, as I said, it’s a red pill. You kind of go down these rabbit holes and they’ve made it so complex and so many acronyms that most people just give up and walk away because it’s just too time consuming.

But what the last amendment did, I’m hoping that the US government takes a closer look and realizes that they have made a mistake, is that it lifted the price caps of Verisign, where they can charge for dot com. Verisign wanted at the price caps to be completely removed, just like what happened with dot org. And again, there’s the controversy around dot org being sold for $1.2 billion to the former CEO’s hedge fund which, was ultimately shut down, but it also gave the contract to renewed into forever.

The cooperative agreement, there’s no longer a time like where it has to be renegotiated for a new amendment. It just kind of continues to flow for forever.

The other two pieces that they put in there, and I would never negotiate a contract like this, it says 1) that the cooperative agreement cannot be changed unless both parties agree to those changes. So if the US government came back and said, we really want you to implement a Thick WhoIs and take steps to shut down the registrars that are ignoring the contractual obligations, they would now have to get Verisign to agree to those contractual terms. The leverage that the US government would have would be to say, if you don’t agree to those, we will put out the dot com, we’ll cancel the cooperative agreement, and we’ll find someone else who will do it, right?

That’s your leverage when you own a house, you know, you get to say to your company that’s managing your property what the terms are and if they don’t agree to those terms, you say, well, I’m going to go to another management company. But in this amendment, they also inserted a provision that says, if the cooperative agreement is terminated, then no other parts of the cooperative agreement apply and Verisign gets to go directly to ICANN and just negotiate with them. And Verisign is the largest single funder of ICANN. And ICANN has never done anything to go against what Verisign wants.

So basically what the analogy I always use is, it would be like me negotiating with my property management company that if I terminate our contract, then you get to do whatever you want with my house, and you can rent it out to whomever you want, whatever rate you want and I have no say. It’s basically now their house. And that I think is hugely problematic.

I also think it’s a violation of the constitution because the US government cannot hand over property without the express authorization from Congress. And I don’t think Congress even knows what has happened in this space. That we have handed off potentially dot com and dot org and dot net, things that we, I would argue with the US controls to private entities and they’re making billions of dollars off of it. And they think they actually own them. And they don’t. It’s just like, I don’t own IggyVentures.com.

I licensed the term and the URL but I don’t own it. I have to renew it every year. I can’t buy it. It’s not like I bought a house, think of it more as a leased car that at any time it can expire and Verisign, there’s nothing that says they actually, or GoDaddy, have to renew my lease. And so these are all the complications that are occurring right now that are finally coming to life.

Neil Fairbrother

Okay. Now GDPR is often used as a reason ,or an excuse, for not completing a WhoIs database, either thick or thin. So what is GDPR and why is it used as an excuse?

Rick Lane, Iggy Ventures

So the GDPR is the European privacy regulation that was redone, you know, about four years ago and has very strict use of personally identifiable information of customers and that’s online, but in general of how an individual’s information can be shared and captured and things of that nature. So the goals are very laudable, but it only affects the European Union. It’s not supposed to affect us here in the United States.

We have our own privacy regimes and Congress is looking at changing some of those. But what happened with the GDPR was that, as I had mentioned earlier, the registries and the registrars have always wanted to not have to deal with the WhoIs issue. They did not want to ensure the accuracy of the information and all the other things that they’re supposed to be doing. It’s just as one person from GoDaddy said at a meeting at ICANN “This is not our problem, this is other people’s problem.” Which shocked me because it is their problem.

But the GDPR, the way the lawyers have interpreted it and ICANN interpreted it after it came out, was that providing access to the WhoIs information would be a violation of the GDPR and the fines in the GDPR, I think are around 3% of worldwide income. So it provided again, I think, somewhat legitimate excuse for Verisign and GoDaddy and TwoCows and others to say, look, we can’t do this because we’re going to be in violation of the GDPR.

Neil Fairbrother

When they say they’re going to be in violation of the GDPR. I mean, this is a massive piece of EU legislation. It has a 173 recitals or, or component parts. And recital four actually says, amongst other things, the rights to the protection of personal data is not an absolute right. So if it’s not an absolute right that personal data is protected. And, it’s not an absolute right, because GDPR says it must be considered in relation to other things going on, the functioning society and so on. So if you’ve got a nefarious actor who is doing bad things under a domain name that is leased out by Verisign for example, then it seems from this part of GDPR, that actually there is every right to reveal who that bad actor is because their protection is not an absolute right.

Rick Lane, Iggy Ventures

Well, so this is where it becomes even more complicated. Because the scenario you gave is an interesting one, which is a one-to-one right? Someone in law enforcement says, Hey, we think that this website or this domain name is being used for illicit purposes. What the registrars and registries will say is, well, then go get a subpoena and then we’ll give you the information on that one registrar or that one registrant. And in fact, what has happened is most of those subpoenas, and this is all documented by law enforcement, are just going into oblivion. They’re not even being responded because they feel that they don’t have to, and no one’s forcing them to do anything.

But that’s not just how investigations work, when you’re looking at domain names. It’s not like you’re going in and just looking at one store that may be being used as a front for different companies and try to find out… that’s why you have land records, right, and property records who owns that one store. So when you’re doing the investigation, you’re saying, Oh, are there other stores that have similar controlling interest, right? You expand it out and gather that data.

WhoIs allows law enforcement to do that so when they’re looking and when they’re doing the investigation, these domain names are being spun out by the thousands, right? So it’s not just one domain who’s a bad actor, it’s thousands of domains. So what law enforcement have been able to do in the past, and cybersecurity experts and others, is to create what would be a bigger picture of who is behind a variety of websites so you can shut them all down and gather information and track.

And that is what has gone completely dark, that you don’t have access to the data, the underlying data. Even, you know, information people, cause they’re going to lie, they’re not going to say who they actually are. And that gets into the accuracy issue, which is also a critical piece of this. But you can find breadcrumbs of different, similar, maybe they use the same phone number or the same credit cards or same something similar that you’re able to find. It wouldn’t be the credit cards per se, because that would obviously be on the WhoIs database, but once you found the information, you could track that from a law enforcement. But you can find other types of breadcrumbs that are out there that may connect different websites to one another and you bring a bigger case and you’re able to protect more and more people.

And that’s the power of the WhoIs. So it’s not the one on one. The other thing you mentioned is law enforcement. Most of the cybersecurity in this world, network cyber cybersecurity, is done by private entities and private cyber security experts to analyze this data, to figure out where there are vulnerabilities, where there are potential attacks, DNS attack and others, where are they coming from?

They will never have a subpoena to do that. They use this data as a way to figure out and connect the dots themselves where bad things or were bad things may be coming from. So if you have an attack from website A, normally you want to know, well, are there other websites that are doing similar attacks to somebody else. And then you gather that data. In fact when the 2016 election occurred, a key component to figure out that it was the Iranian government or Iranian sponsored entities attacking our networks. They figured that out through the use of the WhoIs.

Neil Fairbrother

We’re desperately short of time so we’ll need to wrap it up very quickly, but given the wide range of harms, phishing DNS attacks and CSAM distribution and storage, that is caused by not having an open and transparent and accessible WhoIs database, what do you think it would take to get these organizations, Verisign, ICANN and indeed the domain name registrars, to do the right thing?

Rick Lane, Iggy Ventures

Well, from a US perspective, we are actually pushing for Federal legislation to mandate that we go back to where we were before the interpretation of the GDPR made the WhoIs go dark. That we would require accuracy, we would require access, we would require the collection of the information from any entity that wants to do business in the United States.

For us, this is a matter of protecting the safety and health of American citizens. That every major agency in US government has said is necessary to have an open and accessible WhoIs. In fact, even the Board of ICANN at a question I asked in Montreal last year, a year and a half ago now I guess, all agreed that an open and accessible and accurate WhoIs, is critical to the safety and security of internet users. And yet we’ve been working on this problem for three and a half years, and it gets darker and darker.

And even if ICANN say that they have a fix tomorrow it’ll take another three years, according to their own estimates, to actually implement. So the only way to do this is for federal legislation here in the US to mandate that the WhoIs information is accurate and accessible and we get back to where we were before all this started.

Neil Fairbrother

Okay. So you’re planning on some new legislation Rick, which is fantastic, but if this is such a big deal, why isn’t this already being enforced by legislation?

Rick Lane, Iggy Ventures

It’s a great question, because you’d think with all the letters that have come in from the different agencies saying what a critical issue this is, that the Congress would have acted. I always like to say, if the GDPR come out of Iran or China or somewhere else, the US government would have immediately acted on it because it was a threat to our national security.

Yet because it’s out of the EU and is dealing with privacy, they are hesitant. And it’s also a very complicated issue. And I always feel for the staffers when I ask them, do you know what ICANN is? And they say, no, I know it’s going to be a long conversation, but I also know it’s going to be really hard for those staffers to educate their bosses, senators, and members of Congress, of what ICANN and how this all relates to our national security.

And so it gets pushed further and further down because just like electricity, no one really thinks about it until it goes dark and something bad happens. And right now, nothing bad has happened that has been so explosive, but you will see that is happening more, and more of the phishing attacks and cyber attacks have increased dramatically. And the US Congress is looking at an overhaul of our cyber security efforts and we believe WhoIs going to be a critical part of that discussion.

Neil Fairbrother

Okay. Well, I think we’re going to have to leave it on that note. Rick thank you so much fascinating insight into the structure of the Internet, how it works and all the various moving parts. Good luck with your legislation and let’s keep in touch on it and I look forward to seeing how that evolves.

Rick Lane, Iggy Ventures

Well, thank you, Neil, for having me again.