DNSO Mailling lists archives


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [nc-whois] privacy remarks

I agree with Thomas that privacy is a significant compliance issue for registrars in Europe and I believe that privacy and accuracy are intertwined in the sense that people might feel more comfortable providing real information if they felt like their data was being protected.

BUT (you knew there was one coming...)

Remember that Whois data was required by IANA from the beginning, and the information to be included in whois has not changed materially since Jon set it up.  Thus, I think that the basic Whois requirement isn't fairly considered a "burden" - or at least it is not a new burden.

While Jon Postel may well have had a limited technical use in mind for Whois data, the "legitimate uses" have not been so limited for a very long time.  By 1995 both law enforcement and IP owners had come to rely on the availability of this data, and both the Green Paper and the White Paper specifically identified the law enforcement, consumer protection, and IP uses as legitimate.  The White Paper places Whois squarely within ICANN's competency (to use a European word).  FWIW, in my view Whois was an important part of the bargain that created ICANN - and that deal was struck with the full participation of governments from Europe and elsewhere.

When we were working on the ICANN/NSI contracts we spent a lot of time wrestling with privacy issues.  At the time, NSI was claiming to be the champion of privacy rights for the little guy (have times changed?).  Most people (including the Europeans I spoke with) saw this as a fairly transparent move to hold on to their customers and were more concerned about NSI's ability to use Whois data to preserve and extend its monopoly than they were about privacy. To the extent privacy was a real issue, people were concerned about freedom of expression and political speech.

Despite NSI's evidently self-serving motivation, I did agree then that there was a privacy issue.  I initially suggested that we divide the world into "commercial" and "non commercial" registrations.  But that approach has some real downsides.  

The IP guys and law enforcement hated this idea. Not all harmful uses of websites are "commercial" in the sense that money is changing hands.  Is a site that facilitates the ability of individuals to trade child pornography commercial?  

The registry guys, the ISPs, and some civil liberties advocates didn't like it much either.  If you eliminate the public whois requirements for non-commercial domain names, you need some kind of enforcement mechanism.  I can always say I'm going to use my site for non-commercial purposes and then proceed to use my web site to sell Disney movies.  Within .com, consumers don't know what registrants have said about their commercial intentions.  If there is any chance that a registry or a registrar could be liable for contributory infringement (as they well might be after they are on notice of the activity) then a prudent registrar would yank a domain name registration the moment somebody complains.  Registrars won't be in a position (by training or as part of my business model) to evaluate whether or not the site is doing something commercial.  They can avoid liability for taking down someone's site, but it is harder to avoid liability for contributory infringement.  A prudent registrar will, as I said, yank the registration every time.  As a civil liberties matter, this is worrisome.  Do I really want even my favorite registrar to decide whether my use of copyrighted material is a fair use under U.S. law?  And, as someone who came of age in the Viet Nam and Watergate era, I don't like the idea that law enforcement would have special access to data that, for example, members of the press couldn't get at.  That's why most of our countries now have some sort of freedom of information act.

So, I take a pretty pragmatic approach to Whois these days.  

First, I have always thought that there ought to be a separate place for people who don't want their personal information posted to register.  Fundamentally, that's what .name is - and there could be lots of other tlds specifically designed to serve individual/non-commercial users.  (In fact, registrants actually have lots of choices already.  Many of the ccTLDs also do not post Whois data.)  One really big advantage of a separate space for non-commercial users is that it has enormous consumer protection upsides.  The consumer education message is very easy - be careful about buying something from a web site operating in a personal/non-commercial space - they are there because they don't want you to find them. 

Second, I came to the conclusion that there is no foolproof way to prevent bad actors from getting Whois data without driving all registrars out of business and driving the price of domain name registration way up.  We all know about the margins these guys are operating on - requiring them to set up the infrastructure to authenticate who was or was not law enforcement, to take calls from people with legitimate reasons for accessing whois data, or taking extraordinary measures to ensure that data is accurate, etc. is simply a non-starter. So a tiered system would work ONLY (1) if it can be automated, (2)it can handle the bulk of legitimate needs to access whois data, and (3)the registrar is not put in the position of having to judge except at the margins whether or not a particular use is legitimate.

That leads, inevitably, to the speed bump approach taken by .name.  I can't recall ever seeing a speed bump in Europe, so I'll explain:  speed bumps are things put in a road that forces drivers to slow down if they don't want to do damage to their cares.  In the Whois context, speed bumps are things like contracts and payments that are a bit of a hassle and that increase accountability for misuse of the data.  The don't eliminate misuse - they just make it a whole lot less likely.

FWIW, here is my practical solution for privacy and whois:

1.  Provide plenty of personal name spaces like .name and give consumers a CHOICE about where they register.  Every ccTLD could set up a personal second level domain tomorrow if they wanted to.  They could set up a space for sole proprietors as well.  Or ICANN could do so in this next round.
2.  Limit access to Whois data in those spaces using speed bumps that can be administered automatically.
3.  Don't try to turn the clock back to 1992 and purely "technical" uses of Whois.  It's impractical, can't be administered rationally by registrars or registries, and if you do that, you may end up with a whole lot of compensating laws and obligations that will be a lot more oppressive.  
3.  Educate consumers about why they should exercise care when dealing with a business that has elected to locate in a personal name space.
4.  Enhance accountability (through contracts, logs, access requests) of those who misuse Whois data.  (One of the nice things about .name's approach is that I can ask the registry to tell me who has been doing searches on me.  The searchers are then given an opportunity to prevent the release of that information under some circumstances.  A Whois FOIA.  though not a perfect one.)

I have been thinking about domain name privacy issues for as long as anyone around (at least).  These issues are complicated and I see good arguments on both sides.  My suggestions may be  rather pedestrian and imperfect but would, I think, significantly enhance the privacy of Whois data.  But as some of my loudest critics say, I have never been one to let the quest for perfection stand in the way of achieving the good.

Having said all this, I'm still not sure why our report has to resolve privacy.  This is one of those "if you can't fix it feature it" problems.  Let's acknowledge that privacy is a whois issue, and recommend that the Names Council commission further work on the topic.


-----Original Message-----
From: Thomas Roessler [mailto:roessler@does-not-exist.org]
Sent: Tuesday, February 25, 2003 5:59 PM
To: nc-whois@dnso.org
Subject: [nc-whois] privacy remarks

Let me try to briefly summarize my remarks made during today's
conference call in writing, and to elaborate further on some points.

1. Comments received: I had asked both the members of the GA list
and my colleagues on the ALAC for any input they may have for our
brainstorming.  A predominant observation was that privacy concerns
with respect to WHOIS are a compliance issue *at* *least* in Europe.
Michael Palage made slides available which compare applicable law in
the US and in the European Union; I forwarded these to the list.
Ross Rader proposed that it would be best not to consult with
individual governments or groups (since following local agendas or
tracking national laws would be impracticable), but to ask the GAC
for formal advice.

2. Speaking from a European point of view, a fundamental "dogma" of
privacy regulations on the Old Continent is that data must be
collected and processed for a specific purpose, to which the data
subject has given its consent, and must not (in general) be
processed (transferred, ...) for other purposes.  A different way of
stating this principle is that the data must not be used for
purposes to which the data subject has not given its consent, and
that promises made about the use of the data must be respected.

This principle may be a useful tool for developing policy since it
requires a certain amount of clarity about the possible uses of
data.  Specifically, what kinds of uses are compatible with the
initial purpose for which the data have been collected?  Where are
the exceptions?

3. There's another principle we need to adhere to, and that's
ICANN's mission and core values.  WHOIS is a burden on registrars,
registries, and registrants -- that burden must only be placed on
them for essential purposes within ICANN's mission, not for other
things which might just be "nice to have" for some.

Taken together, these principles would lead to the approach of
asking a number of very basic questions (to which we still don't
have a comprehensive answer):

a) Which data users need which data elements for which purposes?

b) Is it essential for the stability of the Internet that these data
users can indeed use the data for the purpose given?

c) Are registrars' databases an appropriate source for fulfilling
these data users' wishes, or are there different ways to more
appropriately access these data?

When we have identified those uses and users for which all three
questions can be answered with "yes", then we have identified the
necessary characteristics of a future WHOIS service. Once that's
done, the question comes up how this access to registrants'
databases can be granted.  The simplest approach is, of course,
making all the data public -- much like the WHOIS service we have

Figuring out how to make the data available for essential purposes
(as defined by a-c) without publishing everything, and figuring out
what data elements possibly still to publish is the challenge we are
facing.  I'd like to invite you to think through your favorite uses
with the criteria above in mind.

Finally, let me make some observations on the idea of classifying
data subjects into, say, individuals, organizations, and businesses,
and imposing different kinds of data publication policies on them --
this has been floating around for some conference calls now.  The
approach of having class-wide policies brings a difficulty: Those
with fraudulent activities would certainly be willing to lie about
their classification, just like they would lie about their address
now. Thus, availability of data elements would in practice always be
determined by the policy for class of data subjects with the most
strict protection -- most likely individuals.  Publishing anything
else would, in practice, be optional.

Instead of creating a lot of headache by figuring out the individual
classes' policies, it may be the simplest approach to forget about
classes of data subjects on the conceptual level, and to just think
about mandatory and optional publication of certain data elements --
after all, that's what it boils down to in practice anyway.  What
optional data elements are published could be the registrant's own
decision (regardless of his class), and it would then *not* be a
policy matter.  Only the mandatory elements would be determined by
policy, and they would be determined in a way which makes them
appropriate for "genuine" individual registrants.

(Note that I assume, in this argument, that some kind of privileged
access is available for the essential uses defined above.)

Regards (and good night),
Thomas Roessler                        <roessler@does-not-exist.org>

<<< Chronological Index >>>    <<< Thread Index >>>