RE: [nc-whois] privacy remarks
I regret having missed Tuesday's conference call, which as you know
conflicted with a long-standing prior commitment.
I believe that Becky makes some excellent points below. I would only add
that not only do registrants have lots of choices, more significantly people
have lots of choices. If you want to have a robust and active online
presence, there is absolutely no obligation to register a domain name at the
second level and thus place your personally identifiable information in
Whois. Many alternative means are available.
On the other hand, I agree with Thomas' observation that it simply is not
practical to have different policies based on whether a registrant is an
individual, organization or business, because there is no real ability to
verify the reliability or accuracy of a registrant's self-designation. It
seems indisputable, for example, that although .name was intended to be a
TLD for individuals to register their own names, many actual .name
registrants -- perhaps thousands of them, see
http://cyber.law.harvard.edu/people/edelman/name-restrictions/ -- do not fit
that description and may not be individuals at all. This does not mean that
it is necessarily inappropriate to modify Whois policies for .name -- as you
know, the IPC did not oppose the changes recently approved by the ICANN
Board in this regard -- but just that the changes cannot be justified on the
basis that the .name registrants are individuals using their own names.
More fundamentally, even individual registrants can engage in improper
activity (such as crimes, fraud, piracy, child pornography etc.) or even
perfectly legitimate activity (e.g., commerce) for which there is a strong
interest in the accountability and transparency that the current gTLD Whois
Before I go further in response to Thomas' remarks, let me say again (as I
have in a number of previous Task Force conference calls) that our Task
Force is not really the place to get into a detailed discussion about what
particular privacy/data protection laws do or do not require with regard to
Whois. There are just too many variables and fact-specific details at play
for us to say anything very intelligent about the subject. At the
threshold, for instance, it is far from self-evident what national law(s)
even apply when the registrant is in country X, the registrar in country Y,
and the registry in country Z. An entire sub-discipline of the law is
devoted to figuring out the answers to these questions, or even the right
questions to ask in these situations. Frankly I doubt that anything we say
is going to shed much light on these subjects. That is why I believe the
best approach for our task force is simply to identify privacy/data
protection laws as an important factor that will influence implementation of
So I turn with some reluctance to Thomas' summary of the European "dogma"
(his word) on privacy. As often happens, in this case the dogma (as
articulated by one of the believers) does not correspond exactly with the
(legal) reality. To begin with, consent of the data subject (in this case,
a natural person who is a registrant) is one basis upon which personally
identifiable data may be processed in conformity with the European Data
Protection Directive (I refer to Article 7), but it is not the only basis.
Others include (not an exhaustive list): processing necessary for
performance of a contract with the data subject, or undertaken at the
request of the data subject; processing necessary for compliance with a
legal obligation imposed on the data controller; processing necessary for
performance of a task carried out in the public interest; processing
necessary for legitimate interests pursued by the data controller or others,
unless these are overriden by fundamental rights and freedoms of the data
subject. To the extent that European law (or more precisely the national
law of an EU Member State, which is supposed to be in conformity with the
Directive) is applicable to access to Whois under particular circumstances
(see preceding paragraph), all these other factors, in addition to consent,
would need to be considered in order to answer whether the "processing"
involved in making the data accessible is lawful.
Speaking of consent, I believe we should take into consideration Sections
18.104.22.168 - 22.214.171.124 of the Registrar Accreditation Agreement,
http://www.icann.org/registrars/ra-agreement-17may01.htm#3, which require
the registrar to obtain the consent of the registrant with regard to use and
disclosure of personally identifiable data (e.g., Whois). I believe that
Becky and others can confirm that these provisions were included in the RAA
primarily in an effort to ensure compliance with European data protection
requirements. They provide as follows:
126.96.36.199 Registrar shall provide notice to each new or renewed Registered
Name Holder stating:
188.8.131.52.1 The purposes for which any Personal Data collected from the
applicant are intended;
184.108.40.206.2 The intended recipients or categories of recipients of the data
(including the Registry Operator and others who will receive the data from
220.127.116.11.3 Which data are obligatory and which data, if any, are voluntary;
18.104.22.168.4 How the Registered Name Holder or data subject can access and, if
necessary, rectify the data held about them.
22.214.171.124 The Registered Name Holder shall consent to the data processing
referred to in Subsection 126.96.36.199.
188.8.131.52 The Registered Name Holder shall represent that notice has been
provided equivalent to that described in Subsection 184.108.40.206 to any
third-party individuals whose Personal Data are supplied to Registrar by the
Registered Name Holder, and that the Registered Name Holder has obtained
consent equivalent to that referred to in Subsection 220.127.116.11 of any such
18.104.22.168 Registrar shall agree that it will not process the Personal Data
collected from the Registered Name Holder in a way incompatible with the
purposes and other limitations about which it has provided notice to the
Registered Name Holder in accordance with Subsection 22.214.171.124 above.
Moving to Thomas' next point, I believe Becky has already responded to the
characterization of Whois as a "burden."
With regard to Thomas's first "very basic question" -- "which data users
need which data elements for which purposes?" -- I believe we have a wealth
of data responsive to that question in the 3000 or so responses to the
survey which this Task Force conducted back in the early days of this
century. Of course that data is not definitive but it is a lot more
concrete and relevant than any speculative answers that we might come up
with now. I think it is fair to summarize those responses as indicating
that most respondents in most categories (individuals, businesses,
governments, etc.) believed that nearly all of the data elements currently
accessible to the public via gTLD Whois were either valuable or essential
for one or more of the activities which these same respondents said they
carried out using Whois data. Let's go back and look at that data again
before plunging further down this track.
With regard to Thomas' second and third questions, I am certainly
comfortable saying that continued public access to Whois data enhances the
transparency and accountability of online activity in a way that contributes
substantially to the "stability of the Internet" in the following sense: in
order to create and maintain public confidence that people know who they are
dealing with online. To the extent that confidence is eroded by reducing
transparency and accountability, the Internet becomes practically (and also
technically) less stable. I believe our survey data supports this
conclusion, as did the report of the DNS Security and Stability Advisory
Committee. It may be that I have misunderstood Thomas' question in which
case I am sure he will set me straight. Concerning the third question about
whether "registrars' databases [are] an appropriate source for fulfilling
these data users' wishes," this question (like the one before it) is posed
in what I view as a biased manner (or perhaps I am misreading it), but I
would think in any case that the burden of demonstrating that an alternative
source of the data besides "registrars' databases" (cf. Section 3.5 of the
RAA) is "more appropriate" should rest upon those who advocate a change to
the status quo which (as Becky's post demonstrates) has been in force for
most of the past decade, at least.
I hope that these comments are helpful and look forward to your responses.
From: Burr, Becky [mailto:Beckwith.Burr@wilmer.com]
Sent: Tuesday, February 25, 2003 7:59 PM
To: Thomas Roessler; firstname.lastname@example.org
Subject: RE: [nc-whois] privacy remarks
I agree with Thomas that privacy is a significant compliance issue for
registrars in Europe and I believe that privacy and accuracy are intertwined
in the sense that people might feel more comfortable providing real
information if they felt like their data was being protected.
BUT (you knew there was one coming...)
Remember that Whois data was required by IANA from the beginning, and the
information to be included in whois has not changed materially since Jon set
it up. Thus, I think that the basic Whois requirement isn't fairly
considered a "burden" - or at least it is not a new burden.
While Jon Postel may well have had a limited technical use in mind for Whois
data, the "legitimate uses" have not been so limited for a very long time.
By 1995 both law enforcement and IP owners had come to rely on the
availability of this data, and both the Green Paper and the White Paper
specifically identified the law enforcement, consumer protection, and IP
uses as legitimate. The White Paper places Whois squarely within ICANN's
competency (to use a European word). FWIW, in my view Whois was an
important part of the bargain that created ICANN - and that deal was struck
with the full participation of governments from Europe and elsewhere.
When we were working on the ICANN/NSI contracts we spent a lot of time
wrestling with privacy issues. At the time, NSI was claiming to be the
champion of privacy rights for the little guy (have times changed?). Most
people (including the Europeans I spoke with) saw this as a fairly
transparent move to hold on to their customers and were more concerned about
NSI's ability to use Whois data to preserve and extend its monopoly than
they were about privacy. To the extent privacy was a real issue, people were
concerned about freedom of expression and political speech.
Despite NSI's evidently self-serving motivation, I did agree then that there
was a privacy issue. I initially suggested that we divide the world into
"commercial" and "non commercial" registrations. But that approach has some
The IP guys and law enforcement hated this idea. Not all harmful uses of
websites are "commercial" in the sense that money is changing hands. Is a
site that facilitates the ability of individuals to trade child pornography
The registry guys, the ISPs, and some civil liberties advocates didn't like
it much either. If you eliminate the public whois requirements for
non-commercial domain names, you need some kind of enforcement mechanism. I
can always say I'm going to use my site for non-commercial purposes and then
proceed to use my web site to sell Disney movies. Within .com, consumers
don't know what registrants have said about their commercial intentions. If
there is any chance that a registry or a registrar could be liable for
contributory infringement (as they well might be after they are on notice of
the activity) then a prudent registrar would yank a domain name registration
the moment somebody complains. Registrars won't be in a position (by
training or as part of my business model) to evaluate whether or not the
site is doing something commercial. They can avoid liability for taking
down someone's site, but it is harder to avoid liability for contributory
infringement. A prudent re!
gistrar will, as I said, yank the registration every time. As a civil
liberties matter, this is worrisome. Do I really want even my favorite
registrar to decide whether my use of copyrighted material is a fair use
under U.S. law? And, as someone who came of age in the Viet Nam and
Watergate era, I don't like the idea that law enforcement would have special
access to data that, for example, members of the press couldn't get at.
That's why most of our countries now have some sort of freedom of
So, I take a pretty pragmatic approach to Whois these days.
First, I have always thought that there ought to be a separate place for
people who don't want their personal information posted to register.
Fundamentally, that's what .name is - and there could be lots of other tlds
specifically designed to serve individual/non-commercial users. (In fact,
registrants actually have lots of choices already. Many of the ccTLDs also
do not post Whois data.) One really big advantage of a separate space for
non-commercial users is that it has enormous consumer protection upsides.
The consumer education message is very easy - be careful about buying
something from a web site operating in a personal/non-commercial space -
they are there because they don't want you to find them.
Second, I came to the conclusion that there is no foolproof way to prevent
bad actors from getting Whois data without driving all registrars out of
business and driving the price of domain name registration way up. We all
know about the margins these guys are operating on - requiring them to set
up the infrastructure to authenticate who was or was not law enforcement, to
take calls from people with legitimate reasons for accessing whois data, or
taking extraordinary measures to ensure that data is accurate, etc. is
simply a non-starter. So a tiered system would work ONLY (1) if it can be
automated, (2)it can handle the bulk of legitimate needs to access whois
data, and (3)the registrar is not put in the position of having to judge
except at the margins whether or not a particular use is legitimate.
That leads, inevitably, to the speed bump approach taken by .name. I can't
recall ever seeing a speed bump in Europe, so I'll explain: speed bumps are
things put in a road that forces drivers to slow down if they don't want to
do damage to their cares. In the Whois context, speed bumps are things like
contracts and payments that are a bit of a hassle and that increase
accountability for misuse of the data. The don't eliminate misuse - they
just make it a whole lot less likely.
FWIW, here is my practical solution for privacy and whois:
1. Provide plenty of personal name spaces like .name and give consumers a
CHOICE about where they register. Every ccTLD could set up a personal
second level domain tomorrow if they wanted to. They could set up a space
for sole proprietors as well. Or ICANN could do so in this next round.
2. Limit access to Whois data in those spaces using speed bumps that can be
3. Don't try to turn the clock back to 1992 and purely "technical" uses of
Whois. It's impractical, can't be administered rationally by registrars or
registries, and if you do that, you may end up with a whole lot of
compensating laws and obligations that will be a lot more oppressive.
3. Educate consumers about why they should exercise care when dealing with
a business that has elected to locate in a personal name space.
4. Enhance accountability (through contracts, logs, access requests) of
those who misuse Whois data. (One of the nice things about .name's approach
is that I can ask the registry to tell me who has been doing searches on me.
The searchers are then given an opportunity to prevent the release of that
information under some circumstances. A Whois FOIA. though not a perfect
I have been thinking about domain name privacy issues for as long as anyone
around (at least). These issues are complicated and I see good arguments on
both sides. My suggestions may be rather pedestrian and imperfect but
would, I think, significantly enhance the privacy of Whois data. But as
some of my loudest critics say, I have never been one to let the quest for
perfection stand in the way of achieving the good.
Having said all this, I'm still not sure why our report has to resolve
privacy. This is one of those "if you can't fix it feature it" problems.
Let's acknowledge that privacy is a whois issue, and recommend that the
Names Council commission further work on the topic.
From: Thomas Roessler [mailto:email@example.com]
Sent: Tuesday, February 25, 2003 5:59 PM
Subject: [nc-whois] privacy remarks
Let me try to briefly summarize my remarks made during today's
conference call in writing, and to elaborate further on some points.
1. Comments received: I had asked both the members of the GA list
and my colleagues on the ALAC for any input they may have for our
brainstorming. A predominant observation was that privacy concerns
with respect to WHOIS are a compliance issue *at* *least* in Europe.
Michael Palage made slides available which compare applicable law in
the US and in the European Union; I forwarded these to the list.
Ross Rader proposed that it would be best not to consult with
individual governments or groups (since following local agendas or
tracking national laws would be impracticable), but to ask the GAC
for formal advice.
2. Speaking from a European point of view, a fundamental "dogma" of
privacy regulations on the Old Continent is that data must be
collected and processed for a specific purpose, to which the data
subject has given its consent, and must not (in general) be
processed (transferred, ...) for other purposes. A different way of
stating this principle is that the data must not be used for
purposes to which the data subject has not given its consent, and
that promises made about the use of the data must be respected.
This principle may be a useful tool for developing policy since it
requires a certain amount of clarity about the possible uses of
data. Specifically, what kinds of uses are compatible with the
initial purpose for which the data have been collected? Where are
3. There's another principle we need to adhere to, and that's
ICANN's mission and core values. WHOIS is a burden on registrars,
registries, and registrants -- that burden must only be placed on
them for essential purposes within ICANN's mission, not for other
things which might just be "nice to have" for some.
Taken together, these principles would lead to the approach of
asking a number of very basic questions (to which we still don't
have a comprehensive answer):
a) Which data users need which data elements for which purposes?
b) Is it essential for the stability of the Internet that these data
users can indeed use the data for the purpose given?
c) Are registrars' databases an appropriate source for fulfilling
these data users' wishes, or are there different ways to more
appropriately access these data?
When we have identified those uses and users for which all three
questions can be answered with "yes", then we have identified the
necessary characteristics of a future WHOIS service. Once that's
done, the question comes up how this access to registrants'
databases can be granted. The simplest approach is, of course,
making all the data public -- much like the WHOIS service we have
Figuring out how to make the data available for essential purposes
(as defined by a-c) without publishing everything, and figuring out
what data elements possibly still to publish is the challenge we are
facing. I'd like to invite you to think through your favorite uses
with the criteria above in mind.
Finally, let me make some observations on the idea of classifying
data subjects into, say, individuals, organizations, and businesses,
and imposing different kinds of data publication policies on them --
this has been floating around for some conference calls now. The
approach of having class-wide policies brings a difficulty: Those
with fraudulent activities would certainly be willing to lie about
their classification, just like they would lie about their address
now. Thus, availability of data elements would in practice always be
determined by the policy for class of data subjects with the most
strict protection -- most likely individuals. Publishing anything
else would, in practice, be optional.
Instead of creating a lot of headache by figuring out the individual
classes' policies, it may be the simplest approach to forget about
classes of data subjects on the conceptual level, and to just think
about mandatory and optional publication of certain data elements --
after all, that's what it boils down to in practice anyway. What
optional data elements are published could be the registrant's own
decision (regardless of his class), and it would then *not* be a
policy matter. Only the mandatory elements would be determined by
policy, and they would be determined in a way which makes them
appropriate for "genuine" individual registrants.
(Note that I assume, in this argument, that some kind of privileged
access is available for the essential uses defined above.)
Regards (and good night),
Thomas Roessler <firstname.lastname@example.org>