(http://www.vortex.com/privacy/priv.10.03)
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com

-------------------------------------------------------------------

CONTENTS
Network Solutions Sells Out – Domain Info For Sale to Marketers
(Lauren Weinstein; PRIVACY Forum Moderator)

VOLUME 10, ISSUE 03

Quote for the day:

"Someday you too will be King,
and you too will know everything!"

– King Mongkut of Siam (Yul Brynner)
"The King and I" (Fox; 1956)

----------------------------------------------------------------------

Greetings. As dot-com companies continue to drop like flies, and many Internet banner-ad business models are relegated to the scrapheap, increasing numbers of Internet-related firms are finding that one of their few truly valuable assets is their customer database, often chock full of fascinating information. Even small databases with high accuracy rates can be lucrative, while large databases can prod even the most jaded of direct marketing gurus into a frenzy of excitement.

So, we really shouldn't be surprised to learn that Network Solutions, Inc. (NSI), the 800-pound gorilla of ".com" domain registrations, is now busily promoting the availability of their domain registration database – and related activity tracking services – for direct marketing uses. Such moves are almost certain to create a firestorm, given past questions regarding NSI's former effectively "monopoly" status (including concerns at the Congressional level). One can't help but wonder if NSI's moves to market users' domain data are the result of terminal greed, serious "cluelessness," or some morbid combination of both.

Even though NSI now has some competition in the domain name registration business, they still control the bulk of the most lucrative domain registration space, are involved behind the scenes with .com registrations by their competitors, and are key to the running of the Internet Domain Name System (DNS) itself at crucial levels. Many parties expressed concern when VeriSign (which controls the lion's share of the public key encryption certificate market) recently purchased NSI. The effects of this sort of business concentration are now becoming very evident.

Network Solutions is anything but shy when it comes to promoting the value of the data that most domain holders have been required to provide NSI over the years. Advertising text apparently placed by NSI in publications devoted to direct marketing has been very enthusiastic:

On your mark, get set, go! The VeriSign/Network Solutions domain registration database is available for the first time ever. Approximately 6 million unique customers, sliced and diced for you to target prospects ..."

... You can target based on their status in the dot com lifecycle: Is their web site live, is it secure or e-commerce enabled? We'll even tell you about their host switching behavior ...

Did you realize that you signed up for this sort of sales blitz back when you got your domain? Surprise! And what's that? You've had your domain with NSI for ages, and you can't recall them ever clearly notifying you that your domain registration had become marketing fodder? You're not alone!

The actual URL that contains the pitch for NSI's marketing of domain and related data is at:

http://www.dotcom.com/services/index.html [Update 4/22/2003: Link no longer active and we cannot locate a comparable one.]

Dotcom.com, by the way, appears to be NSI's primary data marketing arm. On that page, you can find glowing descriptions of how your domain data is now for sale: "Taking advantage of our position as a market leader, we have organized our pool of over 15 million registered domain names into a customer database of over 5 million unique customers. Our data service offers access to the key decision-makers behind millions of leading Web businesses."

"Taking advantage" is certainly an apt description. They go on to note that:

We also track the progress of sites through key stages in the dotcom lifecycle, including live or not-live sites, e-commerce status, membership features and more. Want to target only small businesses with live sites? Nobody offers a better snapshot of this hard-to-reach group than we do...

But wait! There are even more of your domain-data goodies available:

For ISPs and other service providers, meanwhile, we offer extensive data on registered businesses' site switching behavior and hosting arrangements. ISPs and Web hosting firms can use this data to target customers when they're most likely to be ready for new opportunities.

Yep, it appears that your every domain move may be watched – and sold. The dotcom.com privacy policy link doesn't really seem to address any of these issues. In order to find the operative language, you have to dig through NSI's main privacy policy page.

Dig down deep enough in that text, and you can find mentions of what NSI calls "bulk" access and "business partner" access to the domain database. One or both of these appear to be NSI codeword phrases for marketing.

While NSI apparently will ask the firms who buy your domain data and related information to refrain from sending out spam e-mail, that's the only significant restriction (other than non-transferability) on the use of the data that's detailed in the privacy policy itself. Since the friendly marketing folks getting your info from NSI are likely to want a method to contact you one way or another, it appears probable that other elements of the data, such as phone, fax, and mailing address, are the key contact points. And who knows, maybe your e-mail address will still get onto some spam lists as well.

If you don't want to participate in NSI's bulk/marketing bonanza, you'll need to avail yourself (*now* that you'll know about them) of their opt-outs. Buried within their privacy policy it says that you can send notes with the text:

remove bulk access

in the subject lines of e-mail to:

privacy@networksolutions.com

with a list in the body of the message detailing the domains (for which you are the registrant) that you wish to opt-out.

It is not detailed how such requests are authenticated, nor is any particular format for the lists specified. If a human is reading those requests, they're likely to be getting pretty busy very soon!

Concerns about the privacy of domain registration data have been raised in the past, mostly relating to the theoretical possibility of the data being abused. That having been said, the public "whois" databases, which provide access to individual domain registration records, are still crucial resources for network administrators attempting to correct network problems, determine the source of spa m or hacking attacks, and so on.

For quite awhile, NSI has been taking steps to limit the public's access to that whois data in various ways. There are warnings displayed about its use. In some cases, NSI has apparently attempted to "cut off" sites that were felt to be submitting too many individual queries to the database through whois. One might have thought that NSI's motive in this regard was to help prevent abuse of the data for commercial purposes. But now it appears that their primary concern may have been simply to protect the domain-data mother lode for themselves, just waiting for the day that they could cash in their domain chips bigtime.

These issues reflect darkly on much more than only the matters of being hassled by telemarketers and junk mail. Any situation that inspires significant numbers of domain registrants to provide inaccurate contact data (telephone, fax, address, etc.) could result in serious potential problems for the stability of the Internet itself when abuses or technical failures occur. It's absolutely crucial that responsible individuals be reachable in such situations. Yet, NSI's creation of a marketing profit center from their registration database – and the information that domain registrants have been *required* to provide – could have exactly that very dangerous effect.

I said earlier that it was unclear if NSI's marketing moves were the result of greed, a lack of understanding of the seriousness of their actions, or both. Regardless of the current situation's genesis, there's one thing that can clearly be said about the marketing monstrosity they've created. It deaccessfinitely stinks.

– Lauren –
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy

------------------------------

End of PRIVACY Forum Digest 10.03

February 15, 2001

Advertisers Peeking at Your Hard Drive

Advertisers are peeking into your hard drive – through Napster. What are the implications when advertisers can get personal details about you from your own computer, and then turn around and use them to market to you? Check out this great article at Salon.com.

What can you do: If someone sends you an advertising-related instant message while you're browsing Napster, let them know that you'll never do business with a company that invades your privacy.

February 12, 2001

Corporations Rename Boston's Subway Stations

There's a news item in USA Today about the Massachusetts Bay Transportation Authority selling corporate naming rights to four Boston subway (a.k.a. "T") stations.

Please write to the MBTA and ask them not to allow corporations to rename Boston's subway stations. A subway is not an advertising medium, and its riders should not be considered a captive audience for ads. The e-mail address for the MBTA is feedback@mbta.com.

February 8, 2001