ICANN Groups Seek Resolution of Nagging Whois Privacy Issues
Long-standing concern over use and abuse of information logged into “Whois” databases of domain-name owners has prompted several groups to schedule a meeting during this week’s ICANN meeting in Vancouver. The debate over what contact information registrants should be required to provide and who should have access has spawned 3 task forces and consumed countless hours of discussion. With law enforcement agencies, intellectual property rights-holders and others increasingly relying on Whois information to track miscreants, several ICANN constituencies said it’s time to address the serious privacy implications of the database.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
ICANN-accredited registrars are required to obtain contact information from domain-name buyers, provide it to the public through a Whois service, and investigate, report and correct inaccurate information. Data collected include the registrant’s name, address, e-mail address, telephone and fax numbers and the technical and administrative contacts for the registered name.
“As a woman, a political organizer, and an attorney with many personal opinions, I find it unnerving that the cost of my participation online is the loss of my privacy,” said Kathryn Kleiman, co-founder of ICANN’s Non- Commercial Users Constituency (NCUC), who’s spearheading the privacy conference in Vancouver. To get a .com or .org domain, registrants must disclose home addresses, telephone numbers and personal e-mail addresses, she said, all of which is the published by registrars “in the global instantly available” Whois directory.
With those data available, Kleiman said, “my friends and clients have been stalked, harassed and spammed,” while others have opted to stay off the Net, chilling their free speech. The U.S. accords the highest level of protection to political and personal speech, “yet even basic privacy isn’t recognized in the generic top-level domain (gTLD)Whois directories.”
The Nov. 29 privacy conference will bring together country-code top-level domain managers that have adapted their Whois databases to comply with their national laws, and explore proposals by several constituencies to bring ICANN’s Whois rules into compliance with data and free speech protections worldwide, Kleiman said.
Constituencies Differ on Privacy Risk
In Oct., the combined Whois task force of the Generic Names Supporting Organization published a policy recommendation for procedures for handling conflicts between a registrar’s duty to collect personal information and its obligations under privacy laws. The 6 constituencies -- commercial and business users, noncommercial users, intellectual property (IP), registrars, registries and ISPs and connectivity providers -- agreed there’s an ongoing risk of such a conflict, but differed on how much information registrants should have to submit to a Whois database and how public it should be.
In general, the business and IP communities want accurate data that are publicly available. “Registrants are obtaining domain names in order to engage in communications with the public and therefore should provide accurate and complete information so that they can be ‘found’ through a Whois query,” the Business Constituency wrote.
The IP Constituency approved the policy recommendation despite believing the risk of misuse of Whois data is low. “A sound policy in this area would benefit constituency, whose members rely upon public access to Whois data to manage their domain name portfolios, enforce their rights against copyright and trademark infringers, and combat cybersquatting.” Registries and ISPs also favored the creation of a policy, though they, too, questioned the risk of conflicts between privacy rules and Whois requirements.
But noncommercial users and registrars say the Whois database should be reformed. In Oct., registrars approved a statement on the purpose of Whois. A popular view is that the system is meant to serve as directory of contact information, the group said, but there’s evidence “that implies a much broader purpose for the gTLD Whois system.”
The database is actually a record lookup service that lets 3rd parties determine who holds the delegation for a particular 2nd-level domain, registrars said. It’s not intended to provide contact information to help 3rd parties resolve criminal or civil matters or give the general public ready access to the identity and contact information for domain name owners. Registrars have proposed that contact information associated with registrant types be removed and that maintaining separate records for administrative and technical contacts isn’t relevant.
The purpose of the database is “to provide to 3rd parties an accurate and authoritative link between a domain name and a responsible party who can either act to resolve, or reliably pass information to those who can resolve, technical problems associated with or caused by the domain,” an NCUC statement said. Compiling technical data, such as a registrant’s’s ISP or Web host, doesn’t raise strong privacy issues -- but requiring information about a registrant’s administrative contact might (because those individuals might be individuals who must list their private numbers and e-mail addresses). If the purpose of the database is technical, such administrative information should no longer be collected, the NCUC said.
Data on the domain name holder should be treated with “special care,” non-commercial users said. Personal addresses and numbers are “exactly the type of data that data protection laws seek to protect.” The European Union’s Art. 29 Data Protection Working Party, made up of national data protection commissioners, have “urged ICANN to limit the amount of personal data to be collected and processed,” the NCUC said. Because individual registrants “rarely answer technical questions about their domains or their abuse” -- instead referring them to their technical contact -- the collection of registrant data serves little purpose and should be stopped.
The working party’s views on the sensitivity of Whois data has been echoed by other privacy experts as well. An NCUC background paper for this week’s meeting cites the International Working Group on Data Protection in Telecommunications -- “the current registrar accreditation agreement developed by ICANN does not reflect the goal of the protection of personal data or domain name holders in a sufficient way” -- and the European Commission Internet Market Directorate-General: “Not everything that seem useful or desirable is legally possible.”
This month, Canada’s ccTLD registry launched a consultation on a new policy to shield personal data from mandatory publication in the .ca Whois, NCUC said. Australia’s .au registry is barred by law from disclosing registrants’ street addresses, phone or fax numbers, though contact e-mail addresses are public. It’s now consulting on whether to make such e-mail addresses available in a nonmachine readable format.
Balancing Act
The U.K.’s ccTLD registry, Nominet, is one the majority of whose ccTLDs don’t have formal contracts with ICANN, so it’s not bound by ICANN’s Whois policy, its company solicitor told us. Like other EU countries, the U.K. is subject to laws which require it to keep data protection in mind when creating a Whois requirement, said Edward Phillips. The registry requires much less personal information than ICANN registries must collect, and, unlike ICANN, it allows consumers to have their addresses omitted from the database.
The ICANN community appears to have split into separate camps -- some who want personal information available for use by law enforcement, and others who want it kept private, said Phillips. But, he added, registries must balance “privacy with accountability.” Nominet does that by allowing individuals to withhold their private addresses and by refusing to provide the entire database to anyone.
Nominet is moving away from a single-purpose Whois system to a “bespoke,” or customized, system in which access depends on who’s seeking the information and for what, Phillips said. Coming soon is a Whois2 system to police for abuse of the database, a separate database for IP rights-holders, and other changes.
The U.K. Information Comr. is satisfied that Nominet is dealing responsibly with Whois information, a spokeswoman told us. The registry will, under appropriate order, provide information to the police or IP owners, but there must be “reasonable cause” for the request.
The privacy conference is cohosted by the NCUC and Registrar Constituencies, and the Public Interest Registry, which manages .org. It will look at how ccTLDs are adjusting their Whois policies to comply with privacy laws; how ISPs and telcos deal with requests for personal information such as chatroom and e-mail identities; and ideas for the future of gTLD databases. Speakers include Marcus Heyder, FTC legal adviser for international consumer protection, and Heather Black, Canada’s asst. privacy comr. - Dugie Standeford