Solving the .US Registrant Data Directory Services (RDDS) Conundrum
Recently, ten Democratic members of Congress wrote a letter to NTIA Chief Alan Davidson, requesting that the “NTIA immediately cease public disclosure of personal information about users of the .US country code top-level domain (ccTLD).” This communication highlights an important concern with domain registration data: the need to protect the privacy rights of registrants. However, an equally important concern about registration data was raised by Rick Lane in a article he wrote in response to this communication: the need to access this data to combat domain abuse. The conundrum facing the secure, stable, and inclusive operation of the .US country code top-level domain (ccTLD) is that these concerns may conflict but both need to be addressed. In addition, the parties failed to address a third important concern that is fundamental to addressing the other two: the need to ensure the accuracy of registration data, which has significantly impeded the resolution of this issue at this day.
This is not an isolated problem
This problem of processing accuracy and access to registrant data (historically known as Whois data) by legitimate third parties is not unique to the .US namespace. ICANN has grappled with the same problem within the generic top-level domain (gTLD) namespace since its founding in the last century. ICANN’s inability to process the accuracy of registrant data has been the biggest hurdle in finding a solution to the problem. In fact, ICANN’s Accuracy Scoping Team was not even able to come to a consensus on the definition of “accuracy” after debating the issue. for more than a year.
The concerns about the need to protect registrant privacy expressed in the Democratic submission are valid. As someone who has been inundated with unwanted phone calls and emails after registering a domain name, I personally would have liked a bit more privacy “by design” – not by payment of additional privacy/proxy fees. However, as an attorney who has been fighting domain abuse and illegal activity online for more than two decades, I see firsthand how access to accurate registrant data has diminished. Rick Lane’s concerns about how this data became obscured and prevented legitimate third parties, such as law enforcement and intellectual property owners, from timely access to this data are also valid.
Why cardholder data accuracy is so important
In an ideal world, only honest people would register domain names and only legitimate third parties would have access to registrant data, and there would be no problem. Unfortunately, we are far from this utopia. Instead, we have criminals, foreign and domestic, registering .US domain names and causing damage. At the same time, we have honest individuals and companies registering .US domains with true and accurate registrant information, which are then illegally mined and used to flood them with unwanted communications. Having accurate registrant data heightens the legitimate privacy concerns expressed in the Democrat letter to the NTIA, while simultaneously supporting the legitimate cybersecurity interests documented in Rick Lane’s article. .
NTIA should follow CISA leadership to balance privacy and cybersecurity
Since taking over operation of the .GOV top-level domain from the General Services Administration (GSA), the Cybersecurity and Infrastructure Security Agency (CISA) has implemented several operational changes. These changes include enhanced KYC requirements, multi-factor authentication, enhanced privacy protection for registrant data, and several other security features while reducing the annual cost of a domain name for eligible U.S. government organizations. from $400 per year to free.
As part of GSA’s operation, queries for information associated with .GOV domains returned a range of information, including personally identifiable information (PII), similar to current .US practice. Under the revised operation of CISA, a query for information associated with the NTIA.GOV domain returns the following five items: (1) Agency: Department of Commerce; (2) Organization: National Telecommunications and Information Administration; (3) Domain name: NTIA.GOV; (4) Status: Active; and (5) security contact email: [email protected].
CISA provides enhanced privacy protection to .GOV registrants in exchange for registrants subject to enhanced KYC and security requirements. This fair consideration is lacking in current .US registry policies.
A constructive way forward
Simply requiring cardholder verification is not sufficient. As discussed in Rick Lane’s article, there are many compelling circumstances where the public interest weighs in favor of disclosing an individual’s and/or company’s identity. Unfortunately, the Democratic submission did not address the accuracy of registrant data or how legitimate third parties would access it in a timely manner. But a constructive way forward should involve the following two actions.
First, the NTIA should research and publish best practices used by other ccTLD operators to ensure that .US is best in class for data accuracy and privacy. Following the publication of this research, the NTIA should hold a formal public consultation seeking input from all stakeholders (individuals, businesses, as well as other government agencies) on how best to promote security, stability, and peace. inclusiveness of the .US namespace.
Second, the .US and .GOV TLDs both need to be clearly recognized as critical national infrastructure. The importance of this critical national infrastructure is not a Democratic or Republican issue, but a national security interest of the United States. The European Union has clearly recognized the importance of TLD registries as critical digital infrastructure under its revised Network and Information Security (NIS) Directive (NIS 2.0). The US Congress should consider holding hearings on this issue to foster a bipartisan position to advance a common position on cybersecurity.