White House Names Cybersecurity Coordinator

The White House announced today that President Obama has appointed Howard Schmidt to be the new “White House Cybersecurity Coordinator.” More information about Mr. Schmidt’s background can be found within the announcement of his appointment (including in an embedded video), but also within press coverage of the development. See, e.g., Siobhan Gorman, “Cyber Chief Selected by Obama,” The Wall Street Journal, Dec. 22, 2009 at A6; AP, “White House Picks New Cyber Coordinator”, Dec. 21, 2009 (available through FoxNews).

Mr. Schmidt’s duties will apparently include: “setting computer security policy and providing budget guidance across the government. Among his top challenges will be tapping the cyberdefense capabilities at the National Security Agency while ensuring adequate privacy protections for activities in the civilian sector.” Gorman, “Cyber Chief Selected by Obama.”

Previous posts on this topic were dated in May, when President Obama first announced the position.

UPDATE: A more complete analysis of Mr. Schmidt’s appointment, background and anticipated responsibilities was published in today’s (12/23/09) Wall Street Journal: see Siobhan Gorman, “Cybersecurity Chief to Fill a Post Filled with Challenges,” The Wall Street Journal, Dec. 23, 2009 at A6.

ICANN Seeks Independent Proposals relating to WHOIS Data

The Internet Corporation for Assigned Names and Numbers (ICANN) has issued public requests for proposals for the following studies relating to WHOIS data:

* WHOIS Misuse studies (deadline to respond – November 27, 2009 – has closed).
* WHOIS Registrant Identification studies (deadline to respond – December 22, 2009).

In both instances, the susbtantive study would begin in early 2010, with a completion goal of June 2010 or December 2010, to coincide with regularly-scheduled ICANN meetings.

There are apparently two other studies that ICANN will pursue, but requests for proposals have not yet been issued. See Generic Names Supporting Organization. These two are Proxy and Privacy Services and Implications of non-ASCII Registration Data in WHOIS records. See ICANN Policy Update ¶ 11 (Nov. 2009) (summary description of the first three study areas and related links).

The ICANN Staff is currently managing a fifth study area, which seeks to determine the feasibility of addressing public concerns of deficiencies in the WHOIS service, including with regard to “data accuracy and reliability, as well as in other technical areas noted in recent SSAC reports, such as accessibility and readability of WHOIS contact information in an IDN environment.” See Generic Names Supporting Organization.

Background of Concerns about WHOIS Data

WHOIS data can generally be defined as the full contact information for domain name registrants, including contacts for administrative and technical purposes. A WHOIS record relating to an individual domain name can also include the IP address of the associated web site, date of creation, renewal and expiration of the domain name, and the name of the registrar used to register and maintain the domain name.

Legitimate Uses of WHOIS Data

There are several legitimate uses of WHOIS data, among them the enforcement of intellectual property rights and criminal law enforcement. Accurate WHOIS information is necessary, for instance, to determine whom a trademark owner should contact if there are concerns about unfair competition or that the domain name may be infringing upon the holder’s existing rights. This information may also be used by law enforcement agencies to police instances of fraud, identity theft and other crimes. See e.g., Federal Trade Commission Press Release, FTC Calls for Openness, Accessibility in WHOIS Database System, Continues to Recommend Enactment of the US SAFE WEB ACT, Sept. 20, 2006 (prepared statement also available); Federal Trade Commission Press Release, Accuracy of “WHOIS” Internet Database Essential to Law Enforcement, FTC Tells Congress, May 22, 2002 (prepared statement also available). There may be other legitimate business reasons to use the WHOIS registration data to contact the owner of a particular domain.

Several years ago, the results of searches of the WHOIS database for domain name owners provided robust contact information. Recently, however, the amount of information that appears in WHOIS search results has been significantly limited, most likely due to public concern about the protection of private information and conformance with other jurisdictions’ privacy laws, including foreign privacy laws such as the EU Directive 95/46/EC (officially, the “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” available in multiple languages and formats through the European Commission Justice and Home Affairs page).

The method of performing WHOIS searches also has changed recently, particularly to block automated search engines (i.e., crawlers and bots) from harvesting the data contained in the records. Specifically, each time you perform a search, you are prompted to manually enter the characters that appear within a graphic image – something the automated search tools apparently cannot do.

Related Legislation

In 2004, Congress enacted the Fraudulent Online Identity Sanctions Act, Pub. L. No. 108-482 (Dec. 23, 2004) (codified in scattered sections of Titles 15 and 18). The Act did not create an independent right of action, but it provided certain enhancements to existing civil and criminal causes of action: specifically, 1) it provided a rebuttable presumption of “willfulness” if a trademark infringement action is brought against a registrant who has supplied false registration information in connection with the domain name in question (15 U.S.C. § 1117); and 2) if the registrant had been convicted of a felony (“other than offense of which an element is the false registration of a domain name”) in which the domain name at issue was registered and used in the course of committing the crime, the maximum penalty for the offense shall either be doubled or increased by 7 years, whichever is less. 18 U.S.C. § 3559. While this Act has apparently not had any wide-reaching impact, the mere fact that it was enacted demonstrates the value placed on the accuracy of this database.

Dispute Resolution

In addition, under certain circumstances, a plaintiff filing a complaint against a domain name in U.S. federal court (an “in rem civil action”) may serve the complaint by: “sending a notice of the alleged violation and intent to proceed under [15 U.S.C. § 1125(d)(2)(A)] to the registrant at the postal and e-mail address provided by the registrant to the registrar” and by “publishing notice of the action as the court may direct promptly after filing the action.” 15 U.S.C. § 1125(d)(2)(A)(ii). In this instance, the “registrant” is the person or entity who registered the domain name.

A problem arises, however, when a plaintiff attempts to contact directly the domain name owner through the “postal and e-mail address provided by the registrant to the registrar” if no such valid addresses are displayed in the WHOIS results. Specifically, if plaintiffs or their counsel attempt to reach out to the domain name owner – short of instituting litigation – to investigate whether infringement or unfair competition claims would be legitimate, the lack of valid contact information can be a significant barrier to resolution. If domain name owners invoke the private WHOIS or proxy services to shield their contact information, then it may not be possible to resolve valid claims about the legitimacy and/or non-infringement of the domain name without the investment of substantial extra time and cost. See Ian J. Black, “Hidden Whois and Infringing Domain Names: Making the Case for Registrar Liability,” 2008 U Chi. Legal F. 431, 432 (2008); see also Network Solution’s explanation of its private registration services (which provides alternate contact information to prevent the delivery of spam e-mails and telemarketing phone calls to the registrant, but distinguishes itself from proxy services in that it allows the registrant to remain the domain name owner and be listed in the public WHOIS database).

Similar service problems occur when a plaintiff relies on the Uniform Dispute Resolution Policy adopted by ICANN to arbitrate a domain name dispute. The Rules for UDRP Proceedings provide for service of a domain name dispute complaint through the e-mail addresses for the administrative, technical and billing contacts, to the postmaster of the domain name, and any other e-mail address the defendant identifies in response. Although the domain name dispute resolution provider (and not the plaintiff) is responsible for this service (see Rules ¶ 2(a)), the absence of valid or readily-discernable e-mail addresses for the domain name holder can create problems in reaching a resolution of a dispute short of filing an arbitration complaint.

In both instances, pre-complaint discussions between the parties – or between counsel for the parties – is much more difficult when the contact information for the domain name holders is hidden. Certainly, parties can appeal to the registrars for permission to see the underlying contact information, but whether the registrar must disclose this information, and the timing of their disclosure, is not clear.

In some cases, proof of a valid dispute (e.g., service of a subpoena on the registrar) may be required before such information is released. See, e.g., Domains By Proxy’s explanation of legal issues associated with a private registration and its Proxy Agreement, ¶ 4 (providing that Domains by Proxy “has the absolute right and power, in its sole discretion and without any liability to You whatsoever, to . . . [among other remedies]: . . . ii. Reveal Your name and personal information that You provided to DBP when: A. Required by law, in the good faith belief that such action is necessary in order to conform to the edicts of the law; B. To comply with a legal process served upon DBP; or C. In order to comply with ICANN rules, policies or procedures.”) (emphasis added).

Invasive/Objectionable Uses of WHOIS Information

In its request for proposal, ICANN identified several inappropriate uses of WHOIS data that have spurred the investigation into the extent of Misuse: for example, “generation of spam, abuse of personal data, intellectual property theft, loss of reputation or identity theft, loss of data, phishing and other cybercrime related exploits, harassment, stalking or other activity with negative personal or economic consequences.” Terms of Reference for WHOIS Misuse Studies, Sept. 25, 2009, at 1; see also id. at 5 (providing definitions of e-mail spam, postal and telephone spam, phishing, abuse of personal data and identity theft).

Other Organizations Concerned about CyberCrimes and Consumer Protection
(as identified in ICANN’s Terms of Reference for WHOIS Misuse Studies RFP)

Cybercrime Researchers:
* Anti Phishing Working Group
* Privacy Rights Clearing House
* Online Trust Alliance (AOTA)

Consumer Protection, Regulatory, and Law Enforcement Organizations:
* U.S. Federal Trade Commission
* FBI/NWCC Internet Crime Complaint Center (IC3)
* Identity Theft Assistance Center (ITAC)

Resources for Conducting WHOIS Searches

Most domain name registrars offer a WHOIS search tool that they use in connection with determining whether a domain name you wish to register is actually available. Sometimes, the link to the WHOIS tool is hidden on a particular page, so you may need to hunt to find it. A few examples of the over 500 domain name registrars currently authorized to register new US domain names are: GoDaddy.com, Network Solutions, Inc., PrivateDomains and Register.com. Registration fees vary wildly between registrars, so if you are conducting a WHOIS search with the expectation of registering a domain name, shop around for the best deal that provides you with all of the tools that you need (such as web site hosting, development of web pages, e-mail management, etc.) before making a decision about which registrar to search for availability and registration of a domain name.

If you conduct a WHOIS search and find that a particular domain was registered through a particular registrar, you may wish to view the registrar’s specific WHOIS report because they sometimes contain more information about the domain name owner than the report that you find from another WHOIS tool.

Note that if you conduct a WHOIS search for a domain name through certain registrars, they may put the domain on “hold” for a short period if the domain name is available. Network Solutions describes this as a customer service benefit, allowing a customer to come back up to four days later to register a domain name that they searched. See Network Solutions Adds Customer Protection Measure. During the four-day hold period, the domain name can only be registered through Network Solutions. Id. This “hold” service may not be what you intended when you performed the WHOIS search, so be aware that the possibility exists before you conduct your search.

In addition, here are some other available tools for WHOIS searching:

* Domain Tools – offers basic WHOIS searching, as well as some other custom tools that are available for a fee.

* DomainIt – also provides a WHOIS Privacy registration. Explanation of the service (which masks your contact information and randomizes your e-mail address) can be found here. Among the reasons identified for registering the domain using this privacy service is the prevention of spam and identity theft, as ICANN raised in its own reports, above.

* InterNic’s WHOIS tool can search for domain names with the following gTLDs: .aero, .arpa, .asia, .biz, .cat, .com, .coop, .edu, .info, .int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and .travel. The most commonly used in the US for general purposes are .com, .org and .net. (Note that the .edu extension generally is restricted to educational institutions.)

* Ripe NCC – WHOIS database that covers European domains, as well as those in the Middle East, Central Asia and northern Africa.

* Universal Whois Searches – also provides links to country code TLDs registrars for purposes of country-specific WHOIS searches.

* WIPO’s summary of procedures for resolving domain name disputes re ccTLDs (country code Top Level Domains). Click on the relevant country code link and you will be brought to the appropriate site for registry, WHOIS and dispute resolution. You can also access various international trademark databases through WIPO to search for potentially competing applications/registrations before filing for registration of your own mark.

Update on Anticipated Appointment of a Cybersecurity Coordinator

Updates a prior post: Anticipated Appointment of “Cyber Czar” on May 29, 2009.

While President Obama has not yet identified the individual who will undertake the position of Cybersecurity Coordinator (which has been referred to recently as a “Cyber Czar”), he apparently confirmed during a meeting of government officials and corporate executives on May 29, 2009, that this individual will be appointed to the staff of both the National Security Council and the National Economic Council. See Cam Simpson and August Cole, “Obama Moves to Curb Data-System Attacks,” The Wall Street Journal, at A9 (June 1, 2009) — You might need a subscription to The Wall Street Journal Online to view this article. As the Wall Street Journal put it, this individual will “effectively serve two masters.” Id. It will be interesting to see how effective this position will be, given the oversight by both agencies.

Related Links:

* President Obama’s remarks during the May 29, 2009 session, which provide a bit more information about the expected responsibilities to be assigned to the position:

“To give these efforts the high-level focus and attention they deserve — and as part of the new, single National Security Staff announced this week — I’m creating a new office here at the White House that will be led by the Cybersecurity Coordinator. Because of the critical importance of this work, I will personally select this official. I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges.

“Today, I want to focus on the important responsibilities this office will fulfill: orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response.

“To ensure that federal cyber policies enhance our security and our prosperity, my Cybersecurity Coordinator will be a member of the National Security Staff as well as the staff of my National Economic Council. To ensure that policies keep faith with our fundamental values, this office will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people.” (Emphasis added)

* The report by Melissa Hathaway’s team was released to the public on May 29, 2009, and is available on the White House’s web site. There is also a brief discussion of her remarks during the May 29 meeting on the Briefing Room Blog.

Anticipated Appointment of “Cyber Czar” on May 29, 2009

On May 26, President Obama announced among other things that he was establishing “new directorates and positions within the National Security Staff to deal with new and emerging 21st Century challenges associated with cybersecurity, WMD terrorism, transborder security, information sharing, and resilience policy, including preparedness and response.” Statement by the President on the White House Organization for Homeland Security and Counterterrorism, May 26, 2009.

These new positions directly result from the completion of an interagency cyber-security study that he commissioned on February 9, 2009, “to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.” President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review, February 9, 2009. The study, lead by Melissa Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, was to be completed within sixty days.

The White House reported that the study was completed and delivered to White House staff on April 17, and is currently being reviewed. Statement by the Press Secretary on Conclusion of the Cyberspace Review, April 17, 2009. Once the review of the conclusions is completed, the White House “will begin discussing the results.” Id.

During a speech delivered at the RSA Conference in San Francisco in April 22, 2009, Hathaway apparently discussed some of the report’s methodologies and promised that once the report was issued to the public, it would be apparent that significant work would be required to remedy identified concerns. Reports of the speech were published in various places, but notable among them were Government Technology and Fusion Authority.

Finally, according to Information Week, the White House is expected to release the study report to the public on May 29, 2009, at the same time the new positions in the National Security Staff are announced.

CDT Recommended Keeping Advisor Position within Department of Homeland Security

On May 1, 2009, Gregory T. Nojeim, Senior Counsel and Director of the Center for Democracy & Technology’s (“CDT”) Project on Freedom, Security and Technology, testified before a subcommittee of the House Committee on Energy and Commerce on May 1, 2009, arguing that the new positions be created within the Department of Homeland Security, instead of within the National Security Agency (“NSA”). See also Reuters, “Experts: Cybersecurity Czar Needs to Be White House-Based,” published by FoxNews on May 2, 2009; Cong. Rec., Daily Digest, May 1, 2009 at D486 (confirms that hearing was held and that testimony was received by “public witnesses,” but does not identify who testified).

In his printed remarks, Nojeim admonished that the White House’s role in cybersecurity should be limited to “set[ting] policy and direction, and to budget[ing] enough resources for the program” through a newly-created White House office – to ensure transparency in the planning and budgeting phase of the process. Testimony at p. 7. He further argued, however, that as far as cybersecurity operations were concerned, “[t]he lead for cybersecurity operations should stay with the Department of Homeland Security, and the NCSC [National Cyber Security Center] should be provided with additional resources and high-level attention.” Id. at p. 8. He explained in detail why these operations should not be controlled by the NSA, including articulating CDT’s concerns that the NSA’s expertise in “spying” does not “necessarily entail superior expertise in cybersecurity.” Id. at p. 7.

The House Committee on Oversight and Government Reform held a hearing on May 5, 2009 to address “Cybersecurity : Emerging Threats, Vulnerabilities, and Challenges in Securing Federal Information Systems.” Cong. Rec., Daily Digest, May 1, 2009 at D489; see also Daily Digest, May 5, 2009, at D503 (identifying testifying witnesses).

The Senate Committee on Energy and Natural Resources also held a hearing on May 7, 2009 “to receive testimony on a Joint Staff draft related to cybersecurity and critical electricity infrastructure” at which witnesses were to testify by invitation only. Cong. Rec., Notice of Hearings, April 30, 2009, at S4994; see also Cong. Rec., Daily Digest, May 7, 2009 at D520 (identifying testifying witnesses who appeared during the hearing).

Expected Mandate of the CyberSecurity Director (“Cyber Czar”)

On May 26, 2009, after the President’s announcement, FoxNews broadcast its analysis (in video format). The analysis addressed a potentially “broad mandate” to be assigned to this new office, but did not provide any particular detail – presumably because the White House has not yet released any detail about these new positions.

Note that thus far, not only does it appear that a director-level position will be created, but also subordinate positions reporting to the director. It also appears that these positions actually may be created within the NSA, and not the Department of Homeland Security, as the CDT recommended. See Statement by the President on the White House Organization for Homeland Security and Counterterrorism, May 26, 2009.

New Bill Proposed on April 1 Supports Creation of National Cybersecurity Advisor

Several weeks before these announcements, Sen. John D. Rockefeller, IV (D-WV) introduced Senate Bill S. 778 (on April 1, 2009), which proposed certain duties and responsibilities of a “National Cybersecurity Advisor,” including acting as principal advisor to the President on cybersecurity legal issues, reviewing all cybersecurity-related budget requests, directing sponsorship for certain security clearances and employing experts or consultants as needed for “cybersecurity-related work.” S. 778, section 1(b).

An additional proposed duty is particularly troubling from a privacy perspective: “[N]otwithstanding any provision of law, regulation, rule, or policy to the contrary, [the National Cybersecurity Advisor shall] have full access to all Federal cyber-compartmented or special access programs.” While some of the terms in this provision are not defined – notably, “cyber-compartmented . . . programs”– the breadth of this provision and its clear rejection of the authority of other laws seems overreaching, perhaps permitting this Advisor to have unfettered access to certain information that may have been protected from disclosure by these other laws, regulations, rules or policies. Id., section 1(b)(5).

This bill was read twice when it was introduced and referred to the Senate Committee on Homeland Security and Governmental Affairs. Current status of the bill can be found here.

A More Detailed Bill, The Cybersecurity Act of 2009, S. 773

Senator Rockefeller proposed another bill on April 1, 2009: The Cybersecurity Act of 2009, S. 773. This bill identifies a more rigorous cybersecurity plan, including the ability to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network” or disconnect these systems or networks in the “interests of national security.” Section 18, paras. 2 and 6.

The breadth of this proposed power to foreclose access to Federal government agency systems is troubling. One hopes that this power to declare an emergency – sufficient to deny access to public services – will not be wielded lightly, especially given the current Administration’s stated interest in providing transparency to government operations. The bill does not provide any guidelines for the identification of such an emergency, or for the determination of how long access should be denied, but it is anticipated that these guidelines will be included in any regulations associated with an act of this nature.

The CDT similarly criticized these powers through Mr. Nojeim’s May 1, 2009 testimony. Testimony at p. 4.

Because S. 773 does not refer to a National Cybersecurity Advisor or the powers intended to be assigned to this Advisor, further discussion of this bill is beyond the scope of this posting.