[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

WHOIS

In the first quarter of 2007, more than 10.7 million new domain names were registered. This brings the total number of registrations to an all time high of 128 million domain names.[783] Registrants include large and small businesses, individuals, media organizations, non-profit groups, public interest organizations, political, and religious organizations, and support groups. These domain name registrants share their services, ideas, views, activities, and more by way of websites, e-mail, newsgroups, and other Internet media. Registrants are required to provide information in the registration process, which is then made publicly available.

The Internet Corporation for Assigned Names and Numbers (ICANN), a private-sector corporation that coordinates policy for the Internet, has established contractual arrangements with the registries that manage the top-level domains and the registrars that sell the domain names to the registrants[.] ICANN requires public disclosure on the Internet of domain name registrants' contact information (such as mailing address, phone number and e-mail address), administrative contact information, technical contact information, domain name and servers, and other information.[785] This information is referred to as "WHOIS" data. Its public availability has generated concerns over privacy protection.

Under ICANN's WHOIS policy, Internet users are unable to register for a domain anonymously. The WHOIS database broadly exposes domain name registrants' personal information to a global audience, including criminals and spammers.[786] Anyone with Internet access has access to WHOIS data, including stalkers, corrupt governments cracking down on dissidents, spammers, aggressive intellectual property lawyers, and police agents without legal authority.[787] Even those speaking out for human rights cannot conceal their identity. While it is true that some registrants use the Internet to conduct fraud, most domain name registrants do not, and many have legitimate reasons to conceal their identities and to register domain names anonymously. For example, political, artistic and religious groups around the world rely on the Internet to provide information and express views while avoiding persecution. Concealing actual identity may be critical for political, artistic, and religious expression.[788]

WHOIS data lends itself to both good faith and bad faith uses, and investigating fraud is only one of many uses of WHOIS data[.] There now exist various automated data mining procedures that provide bad-faith users with access to large amounts of personal data at a time, rather than just individual queries. Web-based WHOIS services now have to complicate their access procedures, for example, requiring users to enter number codes before they can retrieve information. The WHOIS database was not originally intended to allow access for such a variety of purposes. The original purpose of WHOIS was instead to allow network administrators to find and fix technical problems with minimal hassle in order to maintain the stability of the Internet.

ICANN's WHOIS policy requires that registrants provide accurate WHOIS information, or otherwise forgo a domain name.[790] If a domain registration is assumed to have inaccurate information, registrants are contacted and given a very limited amount of time to address the problem. Data entered at registration may change in the real world and registrant may forget to update it. They may lose their domain if they are unable to respond quickly to any attempts to contact them. Privacy experts have noted that a policy requiring accurate WHOIS data and then publicly disclosing the data creates serious implications for free speech.[791]

The ICANN WHOIS policies conflict with national privacy laws, including the EU Data Protection Directive, which require the establishment of a legal framework to ensure that when personal information is collected, it is used only for its intended purpose. At a recent ICANN meeting, George Papapavlou, a representative from the European Commission stated that if the original purpose of the WHOIS database is purely technical, the rights of access to and collection of that information pertain solely to that original purpose.[792] Speaking at the "Freedom 2.0" conference held by EPIC in May 2004, Vinton G. Cerf, the President of ICANN, confirmed directly that the original purpose of WHOIS was indeed purely technical.[793] As personal information in the directory is used for other purposes and ICANN's policy keeps the information public and anonymously accessible, the database could be found illegal according to many data protection laws including the European Data Protection Directive.[794]

Under European law, technical users would be the only ones with a legitimate claim to the information. While intellectual property lawyers and law enforcement officials claim the WHOIS database must retain all its current data in its public form as a resource for investigations, the fact that the WHOIS database was originally created for technical purposes makes it clear that such claims to the database would be inconsistent with its original purpose.

In 2003, ICANN's Generic Names Supporting Organization (GNSO) began a policy development process identifying three issues, access, data and accuracy, and creating task forces to study and make recommendations on each. EPIC is serving on one of the WHOIS task forces. The outcome of the WHOIS Policy Development Process will have a significant impact on privacy, civil liberties, and freedom of expression for Internet users.[795] Civil liberties groups and the Non-Commercial Users Constituency[796] of ICANN urged ICANN to limit the use and scope of the WHOIS database to its original purpose, which is the resolution of technical network issues, and to establish strong privacy protections based on internationally accepted privacy standards. This limitation would entail restricting access to the data, minimizing data required to only that needed for technical matters, and not penalizing registrants for protecting their personal information by entering inaccurate personal data elements. In April 2006, the GNSO Council adopted a working definition of the purpose of WHOIS that restricts use of WHOIS data to its original purpose. "The purpose of the gTLD WHOIS service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver."[797] The working definition has not yet been adopted by the ICANN Board.

In March 2007, the WHOIS Task Force sent its Final Task Force Report on WHOIS Services to the GNSO Council for adoption.[798] The Report endorses a proposal that would remove registrants' mailing addresses, phone and fax numbers and email addresses from the publicly available WHOIS database. The GNSO Council considered the Final Report at the ICANN meetings in Lisbon, but because the proposal endorsed in the Final Report leaves many implementation details unanswered, the Council decided to establish a new working group to examine implementation issues.

While ICANN has considerable authority over the development of WHOIS policies for the generic top-level domains (gTLDs), such as .com, .org, and .net, it is unclear whether ICANN will be able to exercise similar control over the country-code top-level domains (ccTLDs), such as .uk and .de, which may choose to follow national policies. Significantly, country code Top Level Domains are moving to provide more privacy protection in accordance with national law. For example, regarding Australia's TLD, .au, the WHOIS policy of the .au Domain Administration Ltd (AUDA) states in section 4.2, "In order to comply with Australian privacy legislation, registrant telephone and facsimile numbers will not be disclosed. In the case of id.au domain names (for individual registrants, rather than corporate registrants), the registrant contact name and address details also will not be disclosed." In addition, auDA does not allow bulk access to WHOIS data, which ICANN's gTLDs do.[799] It is unclear what, if any, indirect effect the GNSO WHOIS policy development will have on the policies of ccTLDs.

The ICANN WHOIS policy process has continued for several years, yet has failed to resolve many of the privacy risks faced by Internet users that result directly from ICANN's own data practices. While some progress was achieved in 2007, much work remains to be done.

[783] VeriSign Domain Name Industry Brief, "The Domain Name Registrant Profile," June 2007 <http://www.verisign.com/static/042161.pdf>.

[.]>.
[785] The Internet Corporation for Assigned Names and Numbers, Registrar Accreditation Agreement <http://www.icann.org/registrars/ra-agreement-17may01.htm>.

[786] Milton Mueller, Ruling the Root 235 (MIT Press 2002).
[787] Comments of the Public Interest Registry (PIR) on the Final Report on WHOIS Accuracy and Bulk Access of the Whois Task Force of the Generic Names Supporting Organization (hereinafter "PIR Comments on WHOIS"), available at <http://www.pir.org/PDFs/pdf00000.pdf>.
[788] PIR Comments on WHOIS, supra.

[.]>.

[790] The Internet Corporation for Assigned Names and Numbers, Registrar Accreditation Agreement <http://www.icann.org/registrars/ra-agreement-17may01.htm> and The Internet Corporation for Assigned Names and Numbers, WHOIS Data Reminder Policy, Advisory on June 16, 2003, <http://www.icann.org/announcements/advisory-16jun03.htm>.
[791] EPIC Privacy Issues Report, supra, and PIR Comments on WHOIS, supra.

[792] "WHOIS data: The EU Legal Principles," March 2, 2004, available at
<http://www.icann.org/presentations/papapavlou-whois-rome-03mar04.pdf>.

[793] "Vint Cerf Discusses Privacy and the Internet," EPIC Alert, May 29, 2004, available at <http://www.epic.org/alert/EPIC_Alert_11.10.html>.

[794] Available at<http://ec.europa.eu/justice_home/fsj/privacy/>.

[795] See generally EPIC's WHOIS web page <http://www.epic.org/privacy/whois/>.
[796] See generally the Non-Commercial Users Constituency's homepage <http://www.ncdnhc.org>.
[797] ICANN Whois Services page <http://www.icann.org/topics/whois-services/>.

[798] Final Task Force Report on Whois Services, March 16, 2007, available at <http://www.icann.org/announcements/announcement-16mar07.htm>.

[799] The .au Domain Administration Ltd, WHOIS Policy (2002-2004) <http://www.auda.org.au/policies/auda-2002-04/>.