ICANN Challenges FDA Claims About Whois – Domain Name Wire

The Domain System Supervisor disagrees with the FDA representative’s complaints about Whois.

ICANN CEO Göran Marby sent a letter (pdf) to the US Food and Drug Administration challenging a presentation (pdf) made by one of its representatives this month.

Dan Burke, head of the US FDA’s Investigative Services Division, gave a June 2 presentation on Whois during a webinar sponsored by the Coalition for a Secure and Transparent Internet (CSTI).

DomainTools, LegitScript, and Spamhaus founded CSTI to advocate for open Whois records in the wake of the EU’s General Data Protection Regulation (GDPR). All of these groups use Whois data for investigations, and much of this information has been obfuscated as a result of GDPR.

ICANN takes issue with several things Burke said during the presentation.

1. An applicant must have a subpoena to access non-public registration data

The prepared presentation said that more registrars will not share Whois data without a subpoena. But during the presentation, Burke said the only way to get Whois data was with a subpoena.

ICANN noted that registrars and registry operators must provide reasonable access to registrant data upon request for legitimate interests. How this plays out in practice, however, is open to debate.

Burke notes that some registrars won’t take action. It pointed to adderallstore(.)com, a domain registered with Crazy Domains (owned by Newfold Digital). He said the FDA asked Crazy Domains to remove the domain and the registrar said it was just the registrar and the FDA should contact that host. (Note that this was a pull request, not a Whois request.) Burke said some registrars help with cases like this, and some don’t.

He also said that registrar reluctance has led the FDA to move up a level in registries, and pointed to a pilot program it is running with Verisign and PIR:

Pilot program launched to crack down on online opioid sales

2. ICANN and Registrar/Registrar salaries are tied to selling more domains.

The insinuation is that ICANN looks the other way because its employees make more money when more domains are registered. ICANN denies this. Given current registration numbers and ICANN’s budget, I’m inclined to agree that “bad domains” don’t support salaries.

This is a more relevant argument for some registrars and registries that rely on malicious registrations to fill their coffers.

3. ICANN ignores complaints from government agencies

ICANN explained its role in the Internet ecosystem and ways to participate. In his presentation, Burke said he didn’t have the bandwidth to try to work with ICANN.

The take-out sale

Whenever I write about the lack of public Whois data, people inevitably comment that bad actors used fake Whois data. But security researchers point out that even bad data has value. Burke said Whois data allows him to link networks and more easily obtain assignments based on that information.

If I were to use the Politifact grading system, I would give Burke’s presentation a “mostly true” or “half true” rating. It’s mostly precise but leaves out important details.