September 30, 2003

Verisign and - the Very Odd Couple

I live in California, so I'm used to seeing really strange couples.

But today I saw something that stood out as far more than just an overwrought case of run-of-the-mill odd.  It stood forth as deserving to be considered a fundamental contradiction of terms.

What I saw is this: Verisign has started a website - - that proclaims itself as the "Network Solutions Privacy Web Site"!

Now that's really a bizzare combination.

On one hand the website proclaims "The personal data that you provide when you register a domain name should be just that — personal. That’s why Network Solutions® is leading efforts in campaigning for stronger domain name privacy rules".

On the other hand we see that very same Network Solutions gathering information on 20,000,000 internet users a day via its "Sitefinder" and shipping that information to another company,

If Verisign wants to demonstrate that it cares about privacy, it should start by removing the web-bug from its Sitefinder web page and make a guarantee to the public that Verisign is not using the privacy revealing data.

The privacy policy that Verisign cites on its SiteFinder page sweeps privacy under the rug by designating items such as what a user was viewing before he/she landed on Sitefinder as mere "statistics".  Considering that such referral information can, and often does, include names, addresses, account numbers, search engine search keys, credit card numbers, birthdates, social security numbers - or anything else that someone might chose to stuff into a URL, this referral information is a long way from innocent "statistics."

Nor does Versign's Sitefinder's privacy policy disclose that they are shipping this information, in full detail form, not in any aggregate form, off to a third party, Omniture, that may not have any obligation regarding privacy that the user can enforce.

Verisign and Privacy - the very odd couple.

Posted by karl at 8:02 PM

September 27, 2003

SiteFinder II?

Versign's SiteFinder appears to be based on the idea that anything on the internet that is not explicitly prohibited is thereby permissible.

For the moment let's put aside Verisign's monopoly position and the special responsibilities and limitations on behavior that derive from that position.  And let's also put aside any patents that may be lurking out there that might cover SiteFinder.

If we assume, for the sake of discussion, that Versign's has correctly asserted that there are few bounds on what it can do on the internet, then where could Verisign go with something that I'll call SiteFinder II?

It would be quite easy for Versign to modify its existing SiteFinder service so that instead of returning the true and unmodified URL's that lead directly to the web sites that a user selects, SiteFinder II could return URL's that lead to Verisign operated proxy servers that themselves obtain the desired materials and then present them to the user.

This is arguably similar to explicit proxying through tools such as Squid or implicit proxying through any number of so-called "transparent" web caches.  However it would be of a much greater scope - once a user made a typo in name, all subsequent web access could be mediated this still hypothetical SiteFinder II.

With that mechanism, Verisign could then do even more intensive data mining of user's web activities than it does in SiteFinder I with its simple web-bug and activity logs.  SiteFinder II could read every word presented to millions of unsuspecting users and view every picture seen by those users.  The revenue that SiteFinder II could produce could dwarf the already significant potential revenues of SiteFinder I.  And such a system would deserve to be named BigBrother rather than SiteFinder.

The technology for this hypothetical SiteFinder II is easy to create, or buy, using already existing commercial off-the-shelf products.  If Verisign is right in its assertion that it has the free right to deploy SiteFinder I, there is really nothing to prevent it from going further with even more invasive "products" such as the hypothetical SiteFinder II that I have described.

Posted by karl at 2:43 AM

September 26, 2003

First Law of the Internet

Several times over the last few years I have referred to a formulation that I call "The First Law of the Internet".

I believe that this First Law represents the proper balance between public and private effects of internet activity.  This First Law is in need of significant refinement, but is there anyone out there who believes that this First Law does not point the proper direction?  If so, I encourage the articulation of that view.

Given the recent private acts on the net by Verisign, acts that have a broad public impact, I believe that it is worthwhile to visit the most basic questions regarding what the internet is and how we accommodate competing and conflicting uses.

The First Law of the Internet

Every person shall be free to use the Internet in any way that is privately beneficial without being publicly detrimental.

  • The burden of demonstrating public detriment shall be on those who wish to prevent the private use.

    • Such a demonstration shall require clear and convincing evidence of public detriment.

  • The public detriment must be of such degree and extent as to justify the suppression of the private activity.

    Posted by karl at 11:53 PM

September 25, 2003

The California Recall

A person would have to be a troglodyte to not know that we are having a recall election here in California.

It is an amazing experience.  It is certainly visibly less organized than the typical election, but there is order - the situation has not disintegrated into chaos.

For once we are seeing a wide variety of candidates; for once we have a real menu to select from.

I think that more elections should be like this one.

California is having a very healthy fling with democracy.

This is in stark contrast to our favorite "public benefit" entity, ICANN, an entity that tossed elections overboard at at the first opportunity.

How am I going to vote?

  • AGAINST: the recall.  Touchstone [from Shakespeare's As You Like It]: described my rationale nicely:
        "a poor virgin, sir, an ill-favoured thing, sir, but mine own".

  • FOR: Arianna Huffington

Posted by karl at 8:23 PM

GNSO Wimps out

I see that ICANN's GNSO issued a resolution regarding the Verisign Registry Site Finder "service".

Verisign's action is very serious. Verisign's act repudiates the end-to-end principle, the foundation upon which the Internet is constructed. Verisign's act implies the end of coherent governance of the Internet and the abandonment of the net to monopolistic manipulation.

In contrast to the seriousness of Verisign's action, the GNSO's resolution is weak, equivocal, and timid.

In an article today, Verisign's CEO asserted that what Verisign has done is benign and that only a noisy few are concerned.

With timid and euphemistic resolutions such as the one passed by the GNSO, no one ought to be surprised if people begin to believe Verisign's words and "Site Finder" becomes the established status quo.

Posted by karl at 11:18 AM

September 22, 2003

Will Network Solutions/Verisign Get Away With It Again?

As pretty much everyone now knows, Verisign recently used its monopoly registry position over .com and .net to impose a revenue-producing mechanism, which they call "SiteFinder", onto all users of  the internet who are human and thus who make mistakes.

I think that it has now been pretty well established that Verisign's "SiteFinder" has damaged the technical stability of the Internet, that it represents a major abuse of Verisign's monopoly position, and that it amounts to a mass harvesting of web user's browsing habits.

ICANN has requested that Verisign voluntarily roll-back "SiteFinder".  Verisign has, so far, refused to do so.

I believe that what ICANN is requesting is entirely appropriate and that a due respect for the stability of the internet should compel Verisign to comply with that request.  However, there are signs that greed will prevail over reason and that Verisign will withdraw "SiteFinder" only in the face of an unambiguous, unequivocal, and incontrovertible order to do so.  This may mean that either ICANN or the US Department of Commerce may have to pull out the legal guns.

And if they do, I hope that ICANN or the DoC wins.

However, prudence obligates us to examine whether ICANN or the US Department of Commerce have the strength to win.

It is not at all clear to me that ICANN has the power to compel Verisign to rescind Verisign's "SiteFinder".  Nor is it clear to me that the US Department of Commerce, even if it might have the authority, has the will.

The relationship between ICANN, the DoC, and Verisign is one governed by agreements that have the look and smell of contracts.  This means that many of the rights and duties of these players are governed by contract principles.  Clearly the relationship between the DoC and Verisign is a child of US Federal law.  However, since both Verisign and ICANN are incorporated in the State of California, many of those principles governing the contracts between Verisign and ICANN will be found in the laws of California.  And California, perhaps more so than other states, tends to allow contract obligations to be interpreted in the light of the history of the contractual relationship.

More than ten years ago - on January 1, 1993, Network Solutions received a five year grant of monopoly authority over .com, .net, .edu, and .org from the US Government.  That grant was supposed to expire after 5 years, on September 30, 1998.  This note is being written on September 22, 2003 - nearly five full years after NSI's original contract was to have expired.

The circumstances of that initial contract might raise a few eyebrows - NSI won even though there were others in the running who had significantly greater and proven competence (think "founders of UUnet"), who bid much lower fees.

That original has been amended by the US Department of Commerce no less than 25 times.  Those amendments collectively amount to The Great Internet Giveaway, in which control over the core assets of the internet has been abandoned into the hands of NSI/Verisign.  As a result, Verisign today  has come to effectively control those internet assets that it was originally hired to simply administer.

The amazing largess of the US Department of Commerce towards Verisign has been matched by ICANN.

ICANN has given NSI/Verisign gift after gift after gift.  ICANN spent several years not allocating new top level domains (TLDs), thus continuing NSI/Verisign's monopoly, much to the benefit of Verisign's financial bottom line.  And when new TLD's were finally allocated, the restrictions that ICANN imposed on the newcomers did nothing but confirm NSI/Verisign's dominance for several additional years.  ICANN's division of the DNS name business into "registries" and "registrars" came with a nice prize for NSI/Verisign - that company was allowed to double dip into the system as both a "registrar" and the monopoly "registry" of the largest TLDs.  And we ought to never forget that ICANN, on the private initiative of its outside "counsel" gifted the .com TLD unto NSI/Verisign in perpetuity.  And ever since, ICANN has continuously assumed "the position", even over the objections of ICANN's own DNS policy bodies, whenever NSI/Verisign came knocking - one has only to look at the history of the Wait Listing Service to how easily ICANN succumbs to NSI/Verisign's siren song.

Verisign has demonstrated an amazingly ability to negotiate the pants off of the US Government and ICANN.

However, Verisign's ability to wag ICANN and the Department of Commerce has met with a bit more friction as of late.  For example, ICANN showed a bit of backbone when Verisign wanted to race into the early, and arguably reckless, deployment of  internationalized domain names.  ICANN and Verisign went head-to-head over a system that was remarkably similar to "SiteFinder" but in the context of internationalized domain names.  In that instance, Verisign backed down.

Verisign's "SiteFinder" represents a repudiation of the entire structure of governance of the internet as conceived by the IFWP, the NTIA Green and White Papers, and ICANN itself.

But is there anything that either ICANN or the US Department of Commerce can do about it?

The authority of both the US DoC and ICANN is made confusing and weak by the maze of cooperative agreements, memorandums of understanding, CRADAs, and purchase orders that exist between ICANN, the DoC, and Verisign/NSI.  Rather than mutually reinforcing one another, these documents create a fabric of plausible excuses that allows Verisign to dance this way and that to whatever tune it decides to play - it will take a major legal effort, one that ICANN might not be able to afford, to unravel the mess.  And the outcome is hardly certain.  For example, because the DoC and ICANN have chosen to use weak and ambiguous legal forms such as "memorandums of understanding", instead of firmly and clearly enforceable "contracts", Verisign might successfully argue that ICANN and the DoC never intended to establish rights and duties that can be enforced in a court of law.

And ICANN, by virtue of its grant of permission to .museum to use the same wildcard mechanism that underlies "SiteFinder", has created a situation in which Verisign can argue that what's good enough for .museum is good enough for .com - and that if there is a difference, it was ICANN's job to define the boundaries, something that ICANN has not done.

ICANN's authority is further weakened by ICANN's historical failure to exercise controlling oversight over technical operations of DNS and by ICANN's tunnel-vision focus on non-technical matters (such as whether the lack of felicity of the sound of "iii" when spoken made that string inappropriate for use as a top level domain.)  Because ICANN has exercised only the most tenuous oversight of important technical matters, such as the operation of root servers, service level obligations of TLD servers, DNS security, data escrow, etc, ICANN is not in a good position to suddenly prohibit Verisign's use of a practice that is not in express violation of any Internet Standard.  (Verisign's practice may be in violation of some implied "penumbras" of the Internet Standards, but that is a difficult argument for ICANN to make.)

If one needs a concrete example consider that over the course of the last year the root server operators have established anycast-based replica servers.  (I personally consider what they have done to be a very good thing.)  However, by any metric this deployment represents a significant change to the critical infrastructure of DNS.  This change was made with neither notice to nor approval from ICANN.  Verisign has as a consequence been given an opportunity to make equally significant changes and, if ICANN questions them, to ask why Verisign is being singled out?

ICANN is now the victim of its own past behavior - because ICANN has never dealt with issues of internet technology but has instead focused its attention on economic and business matters with no real link to internet technical concerns, ICANN has squandered its ability to speak with authority when someone stretches a technical standard.

Because of this history, ICANN is going to have an uphill effort to argue that ICANN has the moral or contractual authority to require that Verisign's SiteFinder be curtailed on technical grounds.  And because of our legal and economic preference for regulation by competition rather than regulation by fiat, ICANN's arguments based on the economic and business repercussions or SiteFinder can me countered by Verisign saying that the marketplace, rather than ICANN, ought to resolve those issues.

Therefore, it seems to me that ICANN may not possess a sufficiently strong lever to force Verisign to discontinue "SiteFinder".

But what about the US Department of Commerce?

The US Department of Commerce has never clearly established how or why it has authority over DNS.  Two reports by the General Accounting Office of the US Congress have suggested that the DoC is floating in the air without any clear foundation of authority.

Archimedes said he could move the world if if had the right place to stand.  By analogy, the US Department of Commerce may find itself powerless because it has never been able to demonstrate why, in our US Constitutional system of delegated and limited powers, it has any power to act.  (The lack of power in the DoC does not mean that there may not be power in some other part of the US Federal government, but in the absence of any such body picking up the sword in these matters, it may be premature at this time to to burn a lot of pixels on that question.)

To make matters worse, ever since it first became involved in the internet, the US Department of Commerce has intentionally divested itself of authority by  adopting the astoundingly stupid Reagan/Thatcher notion that government functions are best done by unaccountable private bodies.

This creates a situation in which Verisign might be able to defend itself against the DoC by confounding the issues with the question whether the DoC has any authority in these matters at all.  We ought to remember that time is on Verisign's side - with every tick of the clock and every delay caused by distracting maneuvers, Verisign's income increases.

Despite these questions of authority, there still exists the Cooperative Agreement - the one created more than a decade ago - through which Verisign derives its role over .com and .net.  The DoC, even if there are questions about its ultimate source of authority, is holding the contract and has several rights that it could exercise to direct the behavior of Verisign or even to terminate the contract and transfer .com and .net to another body.

But does the DoC have the guts to do this?  I'm not sure.  The DoC has always retreated when faced with acts that in some way could affect the stability of the internet - and there is no doubt that an involuntary transfer of .com and .net to another operator could have non-trivial repercussions.

The DoC has been operating largely through the intermediary of ICANN; it's going to take a strong and brave person in authority within the DoC to turn around that well established practice and to take firm grasp of the reins that the DoC has over Verisign by virtue of that oft-amended 1995 Cooperative Agreement.  Is there anyone in the DoC who is that strong?  I believe that there are such people at the DoC.  However, those who I know are not necessarily in NTIA's management chain.

Posted by karl at 9:02 PM

September 2, 2003

"non-achievable representativity goals"?

Thomas Roessler's blog contains an entry, Re: Organization vs Issues which puts forward an argument why ICANN's ALAC ought to be issuing position statements on substantive ICANN policy matters when the ALAC itself has only the thinnest and weakest of tendrils into the community of people affected by the internet and ICANN's policies.

Thomas is a valiant warrior who does carry the flag of public interest. But my sense is that his note hints more of retreat than of progress.

I'm not sure can find the core of his argument. However, I did note the claim that any user representation body would be subject to criticism because it doesn't represent individual users.

Now, I find that to be a very odd claim, particularly when that claim is coupled with the statement that "representativity" is "non-achievable".

I'd like to know why it is that elections by internet users for representatives on ICANN's Board of Directors is "non-achievable". To my way of thinking, we have an existance proof, the ICANN elections of year 2000, that clearly indicate that such means are quite achievable.

ICANN has done a great job destroying the means for the public interest to have a voice in ICANN's decisions. It is unfortunate that the Ptomkin Village that ICANN has erected, the ALAC system, as a facade to mask its explusion of the public interest fools some observers into the belief that ICANN has a means for public participation.

One can only hope that the ALAC members themselves don't buy into ICANN's repudiation of real participation. However, a missive from the ALAC's central committee that blithely dismisses direct elections by the public for ICANN Board seats does not bode well for the sucess of the already enfeebled ALAC.

Posted by karl at 5:51 PM

September 1, 2003

Why is Battle of Algiers so hard to obtain in the USA?

I've noticed a conspicuous absence from the US movie scene and market - it is the 1965 film Battle of Algiers.

Given the position of the US in Iraq, I would think that this movie ought to be required viewing. However, if one can snag a copy at all in the US, it is on VHS tape (although DVD versions are available in Europe.)

The US movie industry treats us all as thieves-in-waiting and blames its reduced sales on illicit copying. I would buy a region 0 or 1 DVD version of Battle of Algiers if I could find a copy.

This is a movie with an important message for the citizens of America of today, it is very sad that it is not easily available.

Posted by karl at 12:52 AM