The Honorable Howard Coble
2468 Rayburn House Office Building
Washington, DC 20515-3306
The Honorable Howard L. Berman
2330 Rayburn House Office Building
Washington, DC 20515-0526
Re: Oversight Hearing on Internet Database Accuracy and H.R. 4640
Mr. Chairman and Ranking Member Berman:
Thank you for this opportunity to present our views on the accuracy of the WHOIS database, and H.R. 4640. Because requiring accurate information in the WHOIS database as required by H. R. 4640 has important implications for privacy and the First Amendment, we urge you to oppose the bill.
H. R. 4640 would make a crime to provide "material and misleading false contact information" the domain name registrars, registries or other domain name registration authorities, if it is done "knowingly and with intent to fraud." Violators could face five years in prison as well as stiff fines.
Current Standards
There currently is relatively little law regarding domain name contact information. The Internet Corporation for Assigned Names and Numbers (ICANN) is the central authority for all Internet users worldwide that wish to register a domain name. The few rules that do exist regarding contact information that registrants must submit are largely provided under ICANN's standard Registration Accreditation Agreement (RAA). Under this agreement, registrars must collect certain types of information from their customers. This data include such things as the registrant's full name, postal address, e-mail address, voice telephone number, and fax number. (See ICANN Registrar Accreditation Agreement, § 3.7.7.1 (17 May 2001) [hereinafter The Agreement].) Registrants who willfully fail to provide such information or willfully fail to "promptly update" such information will lose their registered domain name. (See Id. at § 3.7.7.2).
The Agreement provides little or no privacy protection to a registrant's information. Indeed, the contract forces registrars to provide public access (through a service popularly known as "WHOIS") to the identity and mailing address for the domain name older and the identities, mailing addresses, e-mail addresses, telephones and fax numbers for the technical and administrative contacts. (See ICANN Registrar Accreditation Agreement, § 3.3). Moreover, registrars must retain such data for the duration of the Agreement "and for three years thereafter." (See Id. at § 3.4.3).
The RAA specifically allows registrars to sell bulk access to their databases of domain name registrants for a fee (See RAA II.F.6). The only restriction is that the third-party recipient of the data may not use registrant data to send unsolicited commercial e-mail (also known as "spam"), and registrars may establish an opt-out for registrants if they so wish. ICANN has even gone so far as to attempt to restrict the ability of registrars to establish a higher level of privacy protection on their own. (See ICANN's Amicus Curieae Memorandum, Register.com, Inc. v. Verio Inc., located at http://www.icann.org/registrars/register.com-verio/amicus-22sep00.htm).
The ICANN RAA does provide a way for an individual to license the use of a domain name to a third party. (See RAA, § 3.7.7.3). Establishing an intermediary between the operator of a web site and the general public may avoid short-term identification of the actual user of a particular domain name. This may work temporarily for noncontroversial web sites. However, for the most controversial artistic, political and religious speech, it will be difficult for an online speaker to find an intermediary who will offer to have his own identity made public instead of the actual speaker. For example, abusedwomen.com or freetibet.org may not find someone willingly to be the lightening rod for controversy. Additionally, the third-party licensing provision is unambiguous in stating that the intermediary will be directly liable for use of the domain name by the actual user.
While the RAA requires that certain information be provided to the registrar, that is not currently the practice. A significant amount of information currently submitted is not accurate and the registrar does not verify the vast majority of the information submitted. In practice, the domain name holder decides what information to submit to the registrar and therefore what is consequently displayed to the public in the WHOIS database. Thus, in practice, domain name holders are able to maintain their anonymity.1
Advocates of this legislation argue that anonymous speakers can register a second-level domain and thereby remain anonymous. A domain name is virtually required for any individual or organization that wishes to establish a web site. And, it is clear the preference is for top-level domains. Anyone looking for IBM.com will be looking in the top-level domain of.com, rather than IBM.geocities.com or IBM.aol.com. Reliance on search engines such as google.com is misplaced, as no search engine has yet completely indexed the World Wide Web. It is estimated that only approximately two percent of the Web has been indexed. Therefore, top-level domains are the most practical way for a site to be found and voices to be heard.
Requiring accurate information in the WHOIS database that is then made available to the public destroys anonymity protected under the First Amendment.
The right to communicate anonymously is protected under the First Amendment. In Talley v. California, 362 U.S. 60 (1960), the Supreme Court declared unconstitutional a ban on anonymous hand bills. The Court observed that the "obnoxious press licensing law of England, which was also enforced on the Colonies was due in part to the knowledge that exposure of the names of printers, writers and distributors would lessen the circulation of literature critical of the government." Id. at 64. In his majority opinion, Justice Black noted that "[p]ersecuted groups and sects from time to time throughout history have been able to criticize oppressive practices and laws either anonymously or not at all." Id.; see also McIntyre v. Ohio Elections Commission, 115 S.Ct. 1511 (1995).
In the Internet context, protection of anonymous communication was addressed briefly, and upheld, in ACLU v. Johnson. 4 F.Supp.2d 1029 (D.N.M. 1998). The New Mexico statute at issue in the case addressed material "harmful to minors" sent over the Internet. One of the defenses provided was to restrict access to such material "by requiring the use of a verified credit card, debit account, adult access code or adult personal identification number." The court found that the law "violate[d] the First and Fourteenth Amendments of the United States Constitution because it prevents people from communicating and accessing information anonymously." The Tenth Circuit Court of Appeals affirmed the decision without discussing anonymity.
In ACLU v. Miller, 977 F.Supp. 1228 (N.D.Ga. 1997), the ACLU challenged an amendment to Georgia's Computer Systems Protection Act. The act made it a misdemeanor to "knowingly. . . .transmit any data through a computer network [using] any individual name. . . .to falsely identify the person. . . . .transmitting such data." The District Court granted a preliminary injunction against enforcement of this law, holding that "the statute's prohibition of Internet transmissions which 'falsely identify' the sender constitutes a presumptively invalid content-based restriction under McIntyre."
The court concluded the statute was vague and overbroad because it was "not drafted with the precision necessary for laws regulating speech. On its face, the act prohibits such protected speech as the use of false identification to avoid social ostracism, to prevent discrimination and harassment, and to protect privacy. . . .a prohibition with well-recognized First Amendment problems." Id. at 1233
The current WHOIS database fails to provide meaningful protections for the privacy of personal information. As a result, the only means for individuals to exercise anonymity is to withhold certain pieces of identifiable information.
Congress should reject requirements that would force individuals to provide personal information to WHOIS until there are adequate protections for the privacy of personal information in place, and a guarantee of anonymity. Because the First Amendment protects anonymity, and H.R. 4640 would make anonymity impossible, it is likely the Supreme Court would invalidate such a law. We therefore urge you to reject this bill.
Sincerely,
Laura W. Murphy
Director
Marvin J. Johnson
Legislative Counsel
ENDNOTES
1 Note that we are not advocating that the First Amendment provides a right to lie. We are merely illustrating the conflict that occurs between the bill, the RAA, and those who wish to preserve their anonymity
Related Issues
Stay informed
Sign up to be the first to hear about how to take action.
By completing this form, I agree to receive occasional emails per the terms of the ACLU's privacy statement.
By completing this form, I agree to receive occasional emails per the terms of the ACLU's privacy statement.