Contribution Memorandum: Privacy Implications of WHOIS Database Policy

Submitted to the Secretariat of the Internet Governance Forum by the ICANN Non-Commercial Users Constituency (NCUC) For IGF Greece 2006, Athens, 30 October – 2 November, 2006

The Non-Commercial Users Constituency (NCUC) is the part of the Internet Corporation for Assigned Names and Numbers (ICANN) that represents the interests of noncommercial Internet users.  NCUC is a voting member of the Generic Names Supporting Organization (GNSO), which develops policy and advises the ICANN Board on matters regarding generic top-level domains on the Internet.  NCUC develops and supports Internet policies that favor noncommercial use on the Internet. The NCUC is made up of 40 civil society organizations from around the world and maintains a website at  http://www.ncdnhc.org.

Introduction:  The WHOIS Database and Internet Governance

The WHOIS database is a list of contact information for Internet domain name registrants, originally intended to enable timely resolution of any technical problems involving domain configuration and operation.  The data include mailing and email addresses, and telephone and fax numbers for generic top-level domain (gTLD) registrants and their administrative and technical contacts.  gTLD’s include the “.com”, “.info”, “.org”, “.mobi” “.net” and several other domains, which include a wide variety of institutions and individuals across the globe engaged in a broad range of expressive, communicative, and transactional activities using websites, email, newsgroups and other media that operate over the Internet. The personal contact data associated with these domains are currently globally accessible to anyone with Internet access, regardless of purpose, according to policy set by ICANN.

There are many domain registrants involved in legal, legitimate activities that may invite persecution or harassment of various sorts, and they risk serious harm and/or expense if they are not able to conduct their activities either anonymously or pseudonymously. ICANN’s policies requiring global, unrestricted, unmonitored access to accurate identifying information without concomitant measures to protect personal privacy endanger these registrants unnecessarily, and in many cases conflict with national and regional laws, treaties and directives.

The policies governing the WHOIS service are set by ICANN’s Board, based on proposals from the GNSO.  Therefore, all individuals and institutions across the entire Internet who register gTLD’s are governed by the policies that ICANN makes in this regard.  This is a centrally important area of Internet governance, and reform is needed in order to conform to international standards.

Civil Liberties Violations of WHOIS Policy

ICANN’s current policy of requiring all contact information in the WHOIS database to be (a) complete and accurate, as well as (b) made available to anyone with an Internet connection, raises several serious problems in the areas of privacy, freedom of expression, due process and identity theft.  By making these data generally available without meaningful restriction, many people can gain access to the data for purposes well beyond the technical problem resolution motivating collection of the data in the first place.  This enables a broad range of misuses and abuses of the data that are entirely unnecessary and often in conflict with established legal precedents.

Privacy:  For individual domain registrants who have no separate business address, registering a domain may require providing a home address.  This can enable many types of criminal activity including stalking, which may otherwise be avoided by keeping home address information generally unavailable to anyone without an explicit privacy agreement to protect unauthorized access, or not subject to data privacy protection laws. For registrants who are able to use a business address, providing an email address still creates systematic vulnerability to spammers, phishers and hackers.  And the identification of contact names allows stalking at business addresses, even if not at home addresses.

Given the public availability of WHOIS data, many registrants involved in legal activities that might invite persecution or harassment try to protect their personal privacy by entering incomplete or incorrect information. Thus, the lack of appropriate privacy protection creates incentives for systematic degradation of data accuracy.  This both violates ICANN’s WHOIS policy and obstructs the original intent to enable technical problems to be solved quickly.

Privacy laws:  The European Union issued a Data Protection Directive in 1995 that addressed privacy issues with the intent “that personal data should be able to flow freely… but also that the fundamental rights of individuals should be safeguarded” especially the right to privacy.[1] This directive included provisions that personal data should be “processed fairly and lawfully” and “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”[2]

Allowing access to personal contact information by people not substantively involved in resolution of technical problems with Internet domains violates these provisions by allowing unfair and unlawful processing of the data above and beyond that legitimate technical purpose.

(Original Document as .PDF)

1 DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of 24 October 1995, Introduction, paragraphs (3) and (10). http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46- ce/dir1995-46_part1_en.pdf

2 ibid, Article 6, paragraphs (a) and (b).  http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf

This directive applies directly to the EU’s 25 member states, and other countries have adopted similar laws, including Israel, Canada and Australia.

3   The Canadian and Australian laws contain provisions for limiting the general publication of personal information in their national-domain WHOIS databases (that is, for Canada’s “.ca” and Australia’s “.au” top-level domains).  This provides a sound precedent for policy to be applied to gTLD’s.  Many data protection authorities around the world have written detailed descriptions of how ICANN’s current policies regarding gTLD’s violate national and regional privacy laws.

4. International precedents for privacy protection were established by the United Nations General Assembly in 1948, with the Universal Declaration of Human Rights.5   Article 12 states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

In addition, the WSIS Tunis Agenda for the Information Society includes statements of principle with regard to protection of privacy and protection against abuse of data:

* Paragraph 39 states in part: “We reaffirm the necessity to further promote, develop and implement in cooperation with all stakeholders a global culture of cybersecurity, as outlined in UNGA Resolution 57/239 and other relevant regional frameworks. This culture requires national action and increased international cooperation to strengthen security while enhancing the protection of personal information, privacy and data.”

* Paragraph 42 states: “We reaffirm our commitment to the freedom to seek, receive, impart and use information, in particular, for the creation, accumulation and dissemination of knowledge. We affirm that measures undertaken to ensure Internet stability and security, to fight cybercrime and to counter spam, must protect and respect the provisions for privacy and freedom of expression as contained in the relevant parts of the Universal Declaration of Human Rights and the Geneva Declaration of Principles.”

* Paragraph 43 states: “We reiterate our commitments to the positive uses of the Internet and other ICTs and to take appropriate actions and preventive measures, as determined by law, against abusive uses of ICTs as mentioned under the Ethical Dimensions of the Information Society of the Geneva Declaration of Principles and Plan of Action.”

3 Canada’s ‘Personal Information Protection and Electronic Documents Act’ can be found at http://www.privcom.gc.ca/legislation/02_06_01_e.asp, while Australia’s ‘Federal Privacy Act’ can be found at http://www.privacy.gov.au/act/privacyact.

4 See the NCUC’s WHOIS Backgrounder document, Section B: International and National Laws
Protecting Privacy of Natural Persons: Opinions from Leading Data Protection Authorities to ICANN. http://www.ncdnhc.org/policydocuments/whois-ncuc-backgrounder.pdf.   Also see Additional References at the end of this paper.

5 Available online at: http://www.un.org/Overview/rights.html

6 Available online at: http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

* Paragraph 46 states in part: “We call upon all stakeholders to ensure respect for privacy and the protection of personal information and data, whether via adoption of legislation, the implementation of collaborative frameworks, best practices and self- regulatory and technological measures by business and users.”

Freedom of Expression:  One of the most important ramifications of the loss of personal privacy entailed by ICANN’s WHOIS database policy is the subsequent unavailability of anonymous speech by domain registrants.  Anonymous speech can be critical when legal speech places a speaker in danger of persecution or harassment by private or public entities.  The publication of accurate registrant data precludes such anonymity, and thus inhibits such speech.  This removes one of the most important tools for informing the general public about illegal and unethical actions by powerful people, namely “whistle- blowing” speech and other “inconvenient” discussions of policy and principle, which is crucial for effective democratic governance processes.  When free expression runs a risk of serious personal harm, that expression is systematically withheld, and society suffers from that loss.

The United Nations Universal Declaration for Human Rights also sets a precedent for protection of freedom of expression.  Article 19 states: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”

Due Process:  Law enforcement officials may argue that they require easy access to WHOIS data in order to identify people who are breaking laws using the Internet, such as spammers, phishers and other perpetrators of fraudulent activities.  However, these officials may use subpoenas to get access to information that is genuinely related to active criminal investigations.  Such judicial oversight ensures that these officials do not overstep their legitimate authority to find and prosecute criminals.  The fact that such oversight is warranted in the offline world suggests that it should remain effective online as well.  General publication of WHOIS data allows such judicial oversight to be circumvented, perhaps allowing serious abuse of data access.

Identity Theft:  Another increasingly important concern with loss of data privacy is the threat of identity theft. Every uncontrolled source of personal data provides increased potential for criminals to masquerade as someone else, in order to engage in fraudulent activities.  Such activities can lead to tremendous losses for victims and businesses, and requires ongoing time, effort and expense to monitor credit reports for fraudulent developments and to establish corrections to credit histories and ratings, which may be prerequisite to carrying out important transactions in the normal course of life and business.

As advances in digital computing and telecommunications technology increase the availability of personal data and the means to manipulate it, this problem is growing worse.

7   ICANN’s WHOIS policy currently contributes directly to this trend in unauthorized access to personal data that can enable identity fraud.

GNSO Votes for Reform

On 12 April, 2006, the GNSO Council passed the following motion by an 18-to-9 margin:

“The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass
on data to a party who can resolve, issues related to the configuration of the records
associated with the domain name within a DNS nameserver.”

If the ICANN Board agrees with this recommendation and establishes it as official ICANN policy, this will confirm a clear definition of purpose for the WHOIS database that is confined to the technical purpose originally intended by the founders of the Internet.  NCUC strongly supports this recommendation, and urges the ICANN Board to accept and establish it as ICANN policy.

The consequences of this ruling should mandate changes in ICANN’s WHOIS policies, such that the requirement for accurate data be coupled with strong protections of personal privacy, and that only authorized technical personnel should normally be allowed to access personal data, only in the course of addressing technical problems.

Law enforcement personnel should be granted appropriate access in specific cases of active criminal investigation, with judicial oversight in accordance with due process (such as subpoenas) and in compliance with applicable privacy laws.

Conclusion

ICANN’s current policies for the WHOIS database, requiring both accurate data and public access to those data, are in conflict with broadly accepted principles and regulations for privacy protection.  ICANN’s own advisory organization, the GNSO, has recommended that ICANN establish the official purpose of the WHOIS database in accordance with its original purpose to enable reliable resolution of technical problems surrounding domain registration.

In so doing, ICANN should reform its WHOIS policies to ensure proper authorization for access to WHOIS data, to protect privacy, free expression and due process, and to avoid contributing to enabling identity theft.  This will remove the incentives for inaccurate

7  Facts and statistics about identity theft are summarized by the Identity Theft Resource Center (ITRC), a national non-profit organization in San Diego, California, USA at: http://www.idtheftcenter.org/facts.shtml. ITRC reports that a study by Harris Interactive shows increases in identity theft victimization of 11-20% between 2001 and 2002, and 80% between 2002 and 2003. and/or incomplete data, which will ensure that technical problems can indeed be solved quickly when they arise, while preventing unauthorized use of personal data.

NCUC strongly urges ICANN to adopt these reforms and to be a productive partner and even a leader in reaching for the dual goals of reliable data and data protection. These goals are not independent; they are complementary and interdependent.

If ICANN fails to move forward with these reforms, it will place itself in the position of being a rogue actor in the international arena, in conflict with international treaties and numerous national privacy laws.  It will also establish itself as an opponent of the principles of privacy protection, and it will continue to create incentives for data inaccuracy in the WHOIS database.

As the WSIS Tunis Agenda for the Information Society states: “We recognize the need for further development of, and strengthened cooperation among, stakeholders for public policies for generic Top-Level Domain names (gTLDs).” (Paragraph 64)  The IGF should address ICANN’s policies regarding the WHOIS database and establish principles that appropriately and effectively protect privacy in the context of domain name registration.

Additional References:

Article 29 Working Party Opinion on Whois 2/2003:
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2003/wp77_en.pdf

Recent letter from Peter Schaar to ICANN (Chair Article 29 Working Party):
http://www.icann.org/correspondence/schaar-to-cerf-22jun06.pdf

Recent letter from Jennifer Stoddart, Canadian Privacy Commissioner:
http://www.icann.org/correspondence/stoddart-to-twomey-11jul06.pdf

Recent letter from Commission de la Protection de la Privee (Belgium):
http://www.icann.org/correspondence/parisse-to-icann-22jun06.pdf

EPIC’s Comments to GNSO on WHOIS:
http://forum.icann.org/lists/whois-comments/msg00042.html

EPIC US Congressional Testimony on WHOIS:
http://www.epic.org/privacy/whois/phishing_test.pdf

EPIC WHOIS page:
http://www.epic.org/privacy/whois