In addition to the work we do for Google, Microsoft, the US FDA and others, LegitScript is involved in various Internet policy initiatives through the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees most of the Internet’s infrastructure. One group we’re involved in is looking at this question: in what situations should domain name registrants be permitted to anonymize their “Whois” information — the data that every website operator is required to provide when registering a domain name?
For those unfamiliar with Whois, here’s the background. Let’s say that you want to know who is really operating the website cnn.com, legitscript.com, or — for purposes of the world LegitScript monitors — Internet pharmacies such as medsindia.com, drugstore.com, or northwestpharmacy.com. Running a “Whois” query on a domain name (you can do this at websites like whibse.com or domaintools.com for no cost) allows you to verify who has registered the domain name. Two of the “rules” that ICANN has (quite reasonably) set are: first, there nearly always must be a Whois record for a domain name; and second, Whois records have to be accurate. Falsified Whois records are grounds for domain names being deleted, which results in the website becoming inaccessible.
But let’s say that you don’t want your personal information, like your address and phone number, out there. Most domain name registrars — companies like GoDaddy, Name.com, and Gandi SAS — offer what is typically called a “privacy” or “proxy” service, in which you still provide your registration information, but it’s replaced with the contact information of the registrar’s privacy service. If someone needs to get ahold of you (say, they want to buy your domain name and make you an offer), they can try and contact you through the registrar’s service. In short, your registration information is concealed.
The privacy services are (in our opinion) a good thing when used to help individuals keep their personal information private. Many of us have domain names that we use for personal, noncommercial reasons, and using a privacy service for those domain names helps keep our home address, phone number, and email address confidential. But what about commercial domain names — that is, the registration information for websites that are actively engaged in commerce, selling products or services? Whether such websites should be able to similarly conceal their identity, location, phone number and email address from customers has been the subject of vigorous (and occasionally contentious) debate within the ICANN community.
Our view is that it makes no sense to let companies that are using websites to sell products and services hide their identity or location; privacy services should be for individuals, but there’s no compelling reason to allow people or businesses selling things over the Internet to hide their identity from their customers. It’s a basic tenet of consumer protection: consumers are better protected when there is transparency as to the seller’s identity and location, which creates a deterrent to ripping one’s customers off. Think about it this way: in the non-virtual world, businesses aren’t allowed to hide their identities. Why should the virtual world be any different?
Internet pharmacies help underscore the reasons why letting businesses mask their identity and location is a bad thing for everyday Internet users. Legitimate Internet pharmacies like drugstore.com, cvs.com, or amberpharmacy.com have no conceivable reason to hide their identity. But consider an Internet pharmacy like northwestpharmacy.com, which operates illegally and markets itself as “Canadian” while actually shipping drugs from other countries (not usually from the actual Canadian pharmacy whose license it appropriates). The Internet pharmacy’s domain name is registered to “Kyle Rocheleau,” at “Privacy Hero.” (Mr Rocheleau is an employee of DomainsAtCost, the registrar that provides the privacy service — not an employee of the Internet pharmacy.) This raises the questions: what, exactly, is heroic about helping an illegal online pharmacy conceal its actual location and who runs it from its customers, pharmacy regulators, and the general public? And what does northwestpharmacy.com have to hide? Does Mr. Rocheleau have NorthwestPharmacy’s “pharmacy licenses” on file — or even know where the drugs really come from? If a patient receives falsified medicines, will Mr. Rocheleau be prepared to competently discuss the patient’s health with him or her? And why, precisely, does DomainsAtCost feel that it serves a public good to help an illegal Internet pharmacy hide the actual registrant’s identity from patients relying on the Internet pharmacy for medicines?
Part of the answer, of course, is that northwestpharmacy.com only masquerades as a “Canadian” Internet pharmacy — despite being able to trot out a Canadian pharmacist or two, the drugs don’t really come from a Canadian pharmacy in most cases, and the Canadian pharmacist usually doesn’t even handle the drugs. As another part of the answer, it’s worth pointing out that DomainsAtCost (incidentally, a branch of Momentous, a group of registrars that LegitScript has identified as a “top 10 safe haven” for illegal online pharmacies) profits from offering these privacy services to website operators. At $9.95 a year per domain name, the estimated 4,000 Internet pharmacy domain names that are privately registered with Momentous are worth … well, you do the math. And that doesn’t even count the domain name registration fees themselves.
Most proponents for letting commercial-use domain name registrants hide their identity — many of whom benefit financially by offering these services — have couched their argument in terms of privacy rights for domain name registrants, arguing that affording the right to an anonymous domain name registration merely reflects privacy rights that exist in several countries. That’s a good argument when the website isn’t being used to sell things. But as noted in this White Paper that LegitScript recently assisted in developing, the argument that corporations have a right to hide their identity from their customers simply doesn’t stand up to scrutiny. (LegitScript assisted FWD Strategies International in the development of this paper.)
Of course, Internet pharmacies are a tiny subset of all online merchants, and an unusually high-risk one at that. But the same principle applies whether you are buying medicines, shoes, or goldfish from an Internet seller: you, the consumer, have the right to know who you are dealing with — and there’s no logically good reason for online merchants to hide their identity.
What do you think — should businesses selling goods or services over the Internet have the right to hide their identity? Weigh in with your thoughts. More detail about LegitScript’s and others’ arguments against Internet merchant anonymity can be found in the White Paper.