Federal Government Warned About Threat Posed By Dark Whois

The Food and Drug Administration of the United States has taken their dispute with ICANN to a new level, issuing a warning that unavailable Whois data is making it more difficult to combat phony “cures” for Covid-19 and the opioid problem in the country.

Catherine Hermsen, who works for the Office of Criminal Investigations at the FDA, sent a letter to Goran Marby, the CEO of ICANN, last week to express her displeasure with the fact that some registrars do not respond to abuse complaints in an adequate manner and that ICANN ignores follow-up complaints from government agencies.

She doubled down on the FDA’s prior criticism that ICANN’s inactivity may be because the organization is supported by the industry, but she backpedaled on previous insinuations that ICANN’s leadership was putting their own large salaries ahead of the public’s safety.

The conflict began in the beginning of June when an organization known as the Coalition for a Secure & Transparent Internet held a one-sided webinar titled “The Threat of a Dark WHOIS.” This organization is essentially a front for companies such as DomainTools and other businesses whose business models are threatened by privacy legislation.

During that webinar, Daniel Burke, chief of the FDA’s Investigative Services Division, decried the lack of cooperation his agency gets when obtaining private Whois data from “some” registrars. He also alluded to examples where the FDA’s inability to promptly have fraudulent pharma sites, notably those connected to Covid-19, shut down has resulted to deaths.

Additionally, he stated that complaints to ICANN regarding non-compliant registrars fall on deaf ears, to the point that it is no longer worthwhile to complain, and he argued that ICANN and domain firms are financially motivated to be unhelpful.

Burke attributed the following statement to the author Upton Sinclair: “It is difficult to convince a guy to grasp something when his income depends on him not knowing it.” [Citation needed]

Burke stated that he had discovered this to be the truth via his dealings with ICANN as well as some registries and registrars. They just don’t want to hear what we have to say… Although they could earn money off of it right now, doing so would not be in their best financial interest.

On the CSTI webinar, Marby “spoke,” but his brief intervention was actually only an out-of-context excerpt that said, “GDPR is not my fault!” T-shirt speech, which was extracted from a tape of an ICANN webinar that took place in January and presented — in my opinion in a dishonest manner — as if it had been shot as a contribution to the CSTI discussion.

Due to the fact that he was unable to immediately answer to Burke live, a couple of weeks later he wrote to the FDA (pdf) in order to counter some of Burke’s assertions.

First, Marby stated that a subpoena is not required for the FDA to have access to Whois data. This was stated by Marby. According to him, registrars are required to reply to “legitimate interest” inquiries even though such demands have to be weighed against the registrant’s right to privacy. He added:

There have been a few cases in which government agencies have lodged complaints with the ICANN Contractual Compliance department over the reluctance of registrars to give non-public registration data. In the end, these government agencies were successful in acquiring access to the material they had requested without having to first seek a subpoena or a legal order.

Second, Marby refuted the accusations that there was a financial motive for ICANN’s leadership by noting that their salaries are in no way connected to or reliant on the number of domain name registrations.

Thirdly, he provided a response against the accusation that ICANN ignores complaints from government agencies by pointing out that “ICANN is not political and, as a result, takes efforts to guarantee that the workings of the Internet are not politicized.” In my opinion, this defense was rather poor.

He also mentioned that the Internet Corporation for Assigned Names and Numbers (ICANN) has a system known as DNSTICR, which is responsible for monitoring allegations of DNS abuse connected to the pandemic and alerting the appropriate registries and registrars.

The issue here is that ICANN’s definition of misuse is rather limited, and it does not apply to websites that provide industrial bleach as a treatment for Covid. That would be considered “content,” but ICANN does not serve as a “content police” force.

Scroll to Top